State Data Breach Notification Letter

SOUTH CAROLINA DATA BREACH NOTIFICATION PACKAGE

(Prepared for Immediate Submission to the South Carolina Office of the Attorney General and Department of Consumer Affairs, and for Distribution to Affected South Carolina Residents)

TABLE OF CONTENTS

1. Agency Notification Cover Letter (SC-AG / SCDCA)
2. Attachment A – Resident (“Consumer”) Notice Template
3. Attachment B – Incident Facts & Chronology (Internal Use / Agency-Only)*
4. Attachment C – Sample Substitute Notice (Website / Media)*

Items marked with an asterisk are not ordinarily provided to consumers but should accompany the agency filing under S.C. Code Ann. § 39-1-90.

1. AGENCY NOTIFICATION COVER LETTER

(Use company letterhead – one signed original + electronic copy)

[DATE]

VIA CERTIFIED MAIL, RETURN RECEIPT REQUESTED
AND ELECTRONIC MAIL TO: [email protected]

The Honorable [NAME]
Attorney General of South Carolina
Office of the Attorney General
P.O. Box 11549
Columbia, South Carolina 29211

AND

South Carolina Department of Consumer Affairs
Attn: Data Security Breach Response Program
P.O. Box 5757
Columbia, South Carolina 29250-5757

Re: Security Breach Notification Pursuant to S.C. Code Ann. § 39-1-90

Dear Attorney General [LAST NAME] and Department Officials:

1. Executive Summary
   Pursuant to S.C. Code Ann. § 39-1-90, [COMPANY LEGAL NAME], a [STATE OF INCORPORATION] [corporation/LLC/etc.] (“Company”), hereby notifies your offices of a breach of the security of our system involving “Personal Information,” as that term is defined in § 39-1-90(D). The breach affects approximately [###] South Carolina residents.

2. Incident Description
   • Date(s) of Breach: [MM/DD/YYYY – MM/DD/YYYY]
   • Date Breach Discovered: [MM/DD/YYYY]
   • Nature of Breach: [unauthorized access/malware/insider threat/etc.]
   • Data Elements Involved: [full name, SSN, driver’s license number, financial account number, etc.]
   • Systems Affected: [e-commerce platform, HR database, third-party vendor, etc.]

3. Scope of Impact
   • Total individuals affected nationwide: [###]
   • South Carolina residents: [###]
   • Other jurisdictions notified / to be notified: [list]

4. Remediation & Mitigation
   • Immediate containment steps completed on [MM/DD/YYYY].
   • Ongoing remediation: [password resets, system hardening, third-party forensics].
   • Complimentary services offered to affected residents: [credit monitoring, identity restoration, fraud alerts] for [##] months at no cost.
   • Customer care line established: [telephone] (toll-free) and [dedicated email].

5. Timing of Notice
   Company is providing notice “in the most expedient time possible and without unreasonable delay” as required by § 39-1-90(E), having concluded its internal investigation on [MM/DD/YYYY] and after consultation with law-enforcement authorities.

6. Consumer Notification
   Written notices to affected South Carolina residents will commence on [MAIL DATE] and will substantially conform to the template attached hereto as Attachment A.

7. Substitute / Supplemental Notice (if applicable)
   Should direct mail be impracticable under § 39-1-90(K), Company will implement substitute notice as shown in Attachment C.

8. Nationwide Consumer Reporting Agency Notice
   Because more than 1,000 individuals nationwide are being notified, Company will, contemporaneously with this filing, notify the specified agencies of the timing, distribution, and estimated number of notices, consistent with § 39-1-90(I).

9. Point of Contact
   Please direct any questions to:

• Name: [PRIMARY CONTACT NAME]
• Title: [Chief Privacy Officer / General Counsel]
• Telephone: [(###) ###-####]
• Email: [#####@company.com]
• Mailing Address: [ADDRESS]

Company respectfully submits this notification and stands ready to cooperate with any further inquiries.

Sincerely,

_____________________________________
[AUTHORIZED SIGNATORY NAME]
[Title]
[Company Legal Name]

Enclosures:
• Attachment A – Resident Notice Template
• Attachment B – Incident Facts & Chronology (Confidential)
• Attachment C – Substitute Notice Sample (if required)

2. ATTACHMENT A – RESIDENT (“CONSUMER”) NOTICE TEMPLATE

(Send on company letterhead; one letter per individual. Insert personal salutation and mailing address.)

[DATE]

Notice of Data Security Incident

Dear [FIRST NAME] [LAST NAME]:

1. What Happened?
   On [DATE], we discovered that an unauthorized party gained access to portions of our computer network between [DATE RANGE]. Upon discovery, we immediately secured our systems and engaged leading cybersecurity specialists to investigate.

2. What Information Was Involved?
   Our investigation determined that the following elements associated with you may have been accessed:
   • [specific data elements].
   We have no evidence that your information has been misused; however, we are notifying you out of an abundance of caution.

3. What We Are Doing.
   • Enhanced Security: We have implemented additional technical safeguards and are reviewing our policies and procedures.
   • Complimentary Identity Protection: We are offering you [##] months of [credit monitoring/identity restoration] services at no cost. Enrollment instructions appear below.
   • Law-Enforcement Notification: We have reported this incident to the South Carolina Office of the Attorney General, the South Carolina Department of Consumer Affairs, and federal law-enforcement authorities.

4. What You Can Do.
   • Enroll in Complimentary Services: Visit [URL] or call [TEL] with activation code [CODE] by [ENROLLMENT DEADLINE].
   • Remain Vigilant: Review account statements and credit reports. You may obtain a free credit report annually from each of the three nationwide consumer reporting agencies by visiting www.annualcreditreport.com or calling (877) 322-8228.
   • Fraud Alerts & Security Freezes: You have the right to place a fraud alert or security freeze on your credit file at no cost. Contact information for the credit bureaus is provided at the end of this letter.
   

5. For More Information.
   If you have questions, please call our dedicated hotline at [TEL] (Monday–Friday, 9 a.m.–9 p.m. ET) or email us at [EMAIL].

We regret any inconvenience this incident may cause and appreciate your trust.

Sincerely,

[NAME]
[Title]
[Company Legal Name]

Credit Bureau Contact Information

• Equifax: www.equifax.com | (800) 525-6285
• Experian: www.experian.com | (888) 397-3742
• TransUnion: www.transunion.com | (800) 680-7289

3. ATTACHMENT B – INCIDENT FACTS & CHRONOLOGY (CONFIDENTIAL / AGENCY-ONLY)

1. Detailed Timeline
   • [MM/DD/YYYY] – Initial alert from intrusion-detection system.
   • [MM/DD/YYYY] – Forensic team engaged; indicator of compromise confirmed.
   • [MM/DD/YYYY] – Containment measures (isolated servers, password resets).
   • [MM/DD/YYYY] – Law-enforcement hold requested; hold lifted [MM/DD/YYYY].
   • [MM/DD/YYYY] – Final forensic report issued; scope defined.

2. Technical Findings
   • Vector: [SQL injection / phishing / credential stuffing].
   • Affected servers: [list hostnames / IP ranges].
   • Data exfiltration evidence: [yes/no; details].

3. Resident Count Methodology
   • Source databases cross-referenced with mailing address fields; de-duplicated.

4. Risk Assessment
   • Likelihood of identity theft: [low/moderate/high] (basis).
   • Mitigation effectiveness: [summary].

4. ATTACHMENT C – SUBSTITUTE NOTICE (Website / Media)**

(Use only if written notice is impracticable under § 39-1-90(K); maintain for at least 30 days)

H1: NOTICE OF DATA BREACH
Body: On [DATE], [COMPANY] discovered a data security incident that may have involved personal information of certain individuals, including South Carolina residents. Affected data may include [DATA ELEMENTS]. For further information and to determine whether you are affected, please call [HOTLINE] or visit [SECURE PORTAL]. Complimentary credit monitoring is available.

KEY LEGAL & COMPLIANCE NOTES

1. Statutory Reference: S.C. Code Ann. § 39-1-90 (2022).
2. Timing: “Most expedient time possible and without unreasonable delay” (§ 39-1-90(E)).
3. Agency Notice Threshold: Any breach involving SC residents; provide sample consumer notice and incident details.
4. CRA Notice Threshold: ≥ 1,000 individuals (§ 39-1-90(I)).
5. Content Requirements: Breach description, data elements, steps taken, resident actions, company contact info.
6. HIPAA Exception: Entities subject to HIPAA that provide compliant notice to individuals are deemed compliant for resident notice but must still notify SCDCA unless exempted under § 39-1-90(M).

Prepared by: [LAW FIRM / COUNSEL NAME]
Last revised: [MM/DD/YYYY]