Mandatory Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect personal information
Written Program for Protection/Security
Third Party: Specific Obligations
Third Party: Mandated Contracts
Requests for Information
Fines & Penalties
Violations of Breach and Notification
Civil action and $1,000 or more per resident
Third Party Management
None to minimal
Breach reporting to the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies that compile and maintain files on a nationwide basis is required in the event a business provides notice to more than 1,000 persons, without unreasonable delay.
Violations involving breach notification are subject to an administrative fine in the amount of $1,000 for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs. A civil action may also be brought to recover actual damages resulting from a negligent violation, injunctive relief to enforce compliance, and recovery of attorney’s fees and costs if successful.
Violations involving the protection of social security numbers and data disposal laws can carry a penalty of liability for three times the amount of actual damages or not more than $1,000 for each incident, whichever is greater, as well as reasonable attorney’s fees and costs.
Additional requirements may exist for education-sector entities, especially with regard to request for information and student data protection requirements.
Additional stringent requirements may exist for insurance-sector entities, including risk assessment, written privacy program, 72-hour consumer breach notification timeframe requirements, and more.
If vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
S.C. Code § 39-1-90 Breach of security of business data; notification; definitions; penalties; exception as to certain banks and financial institutions; notice to Consumer Protection Division (2008)
S.C. Code § 37-20-180 Restrictions on publication and use of social security numbers; exception (2008)
S.C. Code § 37-20-190 Requirements for disposition of business records; exceptions (2008)
S.C. Code §§ 38-99-10 – 38-99-100 South Carolina Insurance Data Security Act (takes effect January 1, 2019)
S.C. Code § 59‑1‑490 South Carolina Department of Education Data Use and Governance Policy (2014)