Type of Data Covered |
Deadline for Notification |
Government Notice |
---|---|---|
Electronic. | Most expedient time possible and without unreasonable delay. | Yes – Dept. of Consumer Affairs if more than 1,000 residents are notified. |
Subject Entities |
Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law. |
Definition of Personal Information |
First name or first initial and last name, in combination with one or more of the following data elements when not redacted or encrypted:
|
Definition of Breach |
Unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident, excluding certain good faith acquisitions. |
Type of Data Covered |
Electronic. |
Encryption Safe Harbor |
Statute does not apply to information that was encrypted, redacted, or rendered unusable through other means, as longas the method of encryption was not accessed or acquired. |
Risk of Harm Analysis |
Notification is not required if the entity reasonably believes that illegal use has not and is not reasonably likely to occur, and the use of the information does not create a material risk of harm to the resident. |
Consumer Notice Requirements |
Timing: Must be made in the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the reasonable integrity of the system. Method: By written notice, telephone, or electronic notice if it is the entity’s primary method of communication with the individual or is consistent with E-SIGN and Chapter 6, Title 11 of the 1976 Code. Substitute notice is also available under certain circumstances. |
Substitute Notice Requirements |
Substitute notice may be provided if the cost of providing notice would exceed $250,000, or that the affected class to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Substitute notice must consist of all of the following:
|
Delayed Notice Requirements |
Notification may be delayed if law enforcement determines that the notification will impede a criminal investigation. |
Government Notice Requirements |
If more than 1,000 persons are notified, the entity must also notify the South Carolina Department of Consumer Affairs, Consumer Protection Division without unreasonable delay of the timing, distribution, and content of the notice. |
Third Party Notice Requirements |
If covered information is maintained on behalf of another entity, must notify the owner or licensee immediately following discovery of a breach. |
Consumer Reporting Agency Obligations |
If more than 1,000 persons are notified, the entity must notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notice. |
Potential Penalties |
Violations may result in civil penalties, including damages, injunctions, and attorneys’ fees. Violators can be subject to administrative fines from the Department of Consumer Affairs of up to $1,000 for each resident whose information was accessible based on the breach. |
Notification Requirements for Government Agencies |
Please see the statute for specific requirements and/or penalties from applicable government agencies. |
Other Provisions | This section does not apply to a bank or financial institution that is subject to and in compliance with the privacy and security provision of the Gramm-Leach-Bliley Act. |
Last updated: January 2024