COLUMBIA — The state’s chief consumer advocate said she wants to toughen South Carolina’s financial privacy law to include preventive steps before security breaches of personal information occur.

A 2009 law lays out strong protection procedures that kick in after a consumer’s financial or confidential information has been captured, Carri Grube-Lybarker said.

The law “doesn’t take steps to tell agencies what to do to guard against a breach,” she said in the wake of Friday’s disclosure that 3.6 million Social Security numbers and 387,000 credit or debit card numbers belonging to South Carolina taxpayers had been hacked at the state taxing agency.

A criminal investigation that is focused on a foreign hacker or hackers has been under way for weeks.

Grube-Lybarker said that strengthening the three-year-old law, which she characterizes as among the nation’s toughest in some ways, with preventive measures will cost money. She did not itemize what measures she has in mind.

Still, “I would certainly bring it to the table for discussion,” the consumer advocate said of the upcoming legislative session.

The law, as it stands now, permits people who think their personal information has been stolen to go to the S.C. Department of Consumer Affairs to place a freeze on their credit reports.

The service is free. And as a consumer, you do not have to show that an identity theft has occurred – that a thief has opened up new credit lines using your name – or even that a thief simply used your credit card, Grube-Lybarker said.

Those privileges are rare in the United States, said Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse, a 20-year-old, nonprofit privacy and consumer advocacy organization.

But a freeze can delay the consumer from getting credit he or she wants, such as a home or car loan or a credit card. A freeze must be “unfrozen” by the consumer, Givens said.

Sen. Jake Knotts, R-Lexington, said Friday he plans to file a bill that would require the S.C. Department of Revenue and other state agencies to secure their information systems.

The bill also would allow tax deductions for taxpayer losses that result from the hacking scheme.

It’s not like taxpayers have a choice when it comes to filing their personal data with the taxman, Knotts said.

“The people of South Carolina ought to at least have the peace of mind that their private information, which they’re required to provide to the state, is kept secure,” Knotts said in a statement.

House Speaker Bobby Harrell, R-Charleston, issued a statement saying that “… the General Assembly is prepared to act in any fashion necessary to assist in remedying this situation.”

Harrell made no specific recommendation.

The size and depth of the Revenue Department’s breach dwarfs anything in the California clearinghouse group’s vast database that dates to 2005.

An analysis of its breaches that deal with tax collection agencies shows that the next-largest breach was in July, when about 111,000 reports of Wisconsin property sales in 2011 were inadvertently made available online for two and a half months. The reports contained Social Security and tax identification numbers.

The clearinghouse listed 11 other cases of tax record breaches by government agencies.

The numbers of files affected ranged from 106,000 at the Connecticut Department of Revenue Services in August 2007 to as few as 38 at the New York Department of Taxation in May 2006.

Some U.S. Internal Revenue Service – it’s unclear how many – also have been breached.

Before the Department of Revenue announcement, South Carolina has been the location of 33 data security breaches since 2005, according to the Privacy Rights Clearinghouse.

A total of 961,000 records, many of which included Social Security numbers, were involved in 27 of the breaches. The number of records accessed were not included in six of the incidents.

A little more than half of the 33 breaches were from federal, state and local government agencies. The rest were private businesses.

In the latest incident, Givens took issue with the lack of data encryption in South Carolina – most of the state’s data was not encrypted.

“The fact that it wasn’t is a significant failing on the part of the tax authorities,” she said.

She called the vast number of files “a massive breach.”

Encryption is standard practice at financial institutions.

Givens said she does not know how many states encrypt their tax records.

The state – and other states – will have to wait to see if South Carolina was specifically targeted because of that vulnerability.