Mandatory Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect personal information
  • Written Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of Breach and Notification
Civil action and $1,000 or more per resident

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting to the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies that compile and maintain files on a nationwide basis is required in the event a business provides notice to more than 1,000 persons, without unreasonable delay.
  • Violations involving breach notification are subject to an administrative fine in the amount of $1,000 for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs.  A civil action may also be brought to recover actual damages resulting from a negligent violation, injunctive relief to enforce compliance, and recovery of attorney’s fees and costs if successful.
  • Violations involving the protection of social security numbers and data disposal laws can carry a penalty of liability for three times the amount of actual damages or not more than $1,000 for each incident, whichever is greater, as well as reasonable attorney’s fees and costs.
  • Additional requirements may exist for education-sector entities, especially with regard to request for information and student data protection requirements.
  • Additional stringent requirements may exist for insurance-sector entities, including risk assessment, written privacy program, 72-hour consumer breach notification timeframe requirements, and more.
  • If vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • S.C. Code § 39-1-90 Breach of security of business data; notification; definitions; penalties; exception as to certain banks and financial institutions; notice to Consumer Protection Division (2008)
  • S.C. Code § 37-20-180 Restrictions on publication and use of social security numbers; exception (2008)
  • S.C. Code § 37-20-190 Requirements for disposition of business records; exceptions (2008)
  • S.C. Code §§ 38-99-10 – 38-99-100 South Carolina Insurance Data Security Act (takes effect January 1, 2019)
  • S.C. Code § 59‑1‑490 South Carolina Department of Education Data Use and Governance Policy (2014)
  • S.C. Code §§ 44‑115‑10 – 44‑115‑140 Physicians’ Patient Records Act (1992)
BAck to map