← All US breach laws·SC

South Carolina data breach notification law

South Carolina's data breach notification requirements under S.C. Code §39-1-90. Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
S.C. Code §39-1-90
Enforcer
South Carolina Department of Consumer Affairs + Attorney General
AG notification
Required
Private right of action
Yes — residents can sue

Notification deadlines

Notify affected residents
In the most expedient time possible and without unreasonable delay
Notify the state regulator
Yes — if more than 1,000 SC residents are affected, written notice to the SC Department of Consumer Affairs
Notify consumer reporting agencies
Yes — if more than 1,000 residents, notify nationwide CRAs

When is notification required?

Trigger / harm threshold
Notification required when illegal use has occurred or is reasonably likely to occur, or use that creates a material risk of harm
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under South Carolina law

First name/initial + last name with SSN, DL/state ID, financial account + access code, other numbers/info that could be used to access financial resources

Penalties and enforcement

$1,000 per resident not notified — uncapped; private right of action for actual damages
Enforced by: South Carolina Department of Consumer Affairs + Attorney General. Official regulator page →

Common pitfalls

South Carolina's UNCAPPED $1,000-per-resident penalty makes late notice for large breaches potentially ruinous

Frequently asked questions

How long do I have to notify South Carolina residents after a data breach?
In the most expedient time possible and without unreasonable delay
Do I have to notify the South Carolina Attorney General?
Yes — if more than 1,000 SC residents are affected, written notice to the SC Department of Consumer Affairs
Does South Carolina require notification to nationwide consumer reporting agencies?
Yes — if more than 1,000 residents, notify nationwide CRAs
Is encrypted data exempt from South Carolina's breach notification requirement?
Yes — South Carolina has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can South Carolina residents sue me directly for a data breach?
Yes — South Carolina allows a private right of action. Affected residents may sue for actual damages and, in some cases, statutory damages or attorneys' fees. Class actions are common.
What counts as 'personal information' under South Carolina law?
First name/initial + last name with SSN, DL/state ID, financial account + access code, other numbers/info that could be used to access financial resources
What are the penalties for failing to comply with South Carolina's breach notification law?
$1,000 per resident not notified — uncapped; private right of action for actual damages

Related state breach laws

Pennsylvania (PA)
73 Pa. C.S. §§2301 to 2330
Rhode Island (RI)
R.I. Gen. Laws §§11-49.3-1 to 11-49.3-6
South Dakota (SD)
S.D. Codified Laws §§22-40-19 to 22-40-26
Tennessee (TN)
Tenn. Code §47-18-2107

Pre-empt the South Carolina breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against South Carolina's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit