South Carolina Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business handles personal data belonging to South Carolina residents, a data breach triggers notification obligations under S.C. Code Section 39-1-90. South Carolina's breach notification law has been in effect since 2009 and applies to any person conducting business in the state who owns or licenses computerized data that includes personal identifying information.

Unlike many states that have adopted firm day-count deadlines in recent years, South Carolina still uses a "without unreasonable delay" standard. The law also stands out for granting individuals a private right of action and for routing enforcement through the Department of Consumer Affairs rather than the Attorney General.

This guide covers the full requirements under South Carolina law, including how they connect to the broader [South Carolina data privacy laws](/us-laws/data-privacy-laws/south-carolina-data-privacy-laws) framework.

Who Must Comply

South Carolina's law applies to any person conducting business in the state who owns or licenses computerized data that includes personal identifying information of South Carolina residents. The term "person" includes individuals, businesses, corporations, partnerships, and other entities.

When a third party maintains data on behalf of the data owner or licensee, the third party must notify the data owner or licensee immediately following the discovery of a breach. The data owner then carries the notification obligation to affected residents.

Financial Institution Exception

Banks and financial institutions that comply with the notification requirements of the Gramm-Leach-Bliley Act (GLBA) interagency guidance on response programs for unauthorized access to customer information are exempt from the general notification requirements of Section 39-1-90.

What Triggers Notification

Under Section 39-1-90, a breach of the security of the system means unauthorized access to and acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the entity.

Notification is required when personal identifying information that was not rendered unusable through encryption, redaction, or other methods was, or is reasonably believed to have been, acquired by an unauthorized person, and either:

• Illegal use of the information has occurred or is reasonably likely to occur, or
• The use of the information creates a material risk of harm to the resident

This two-pronged trigger gives entities some latitude to assess risk. Not every technical breach automatically requires notification. The entity must determine whether unauthorized acquisition actually occurred and whether it poses a meaningful risk.

Good Faith Exception

A good faith acquisition of personal information by an employee or agent of the person is not a breach, provided the information is not used for or subject to further unauthorized disclosure.

Encryption Safe Harbor

If personal identifying information was rendered unusable through encryption, redaction, or other methods, notification is not required. South Carolina does not specify a minimum encryption standard (unlike Rhode Island, which requires 128-bit encryption), so any generally accepted encryption method should qualify.

Personal Information That Triggers the Law

Under Section 39-1-90, personal identifying information means the first name or first initial and last name of a resident, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted or redacted:

• Social Security number
• Driver's license number or state identification card number
• Financial account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account
• Other numbers or information that may be used to access a person's financial accounts
• Government-issued identification numbers

South Carolina's inclusion of "other numbers or information which may be used to access a person's financial accounts" is a catch-all provision that extends coverage beyond the specific categories listed. However, the law does not cover medical information, health insurance data, biometric data, or email credentials, making it narrower than some more recently updated state laws.

Personal identifying information does not include information that is lawfully obtained from publicly available sources or from federal, state, or local government records that are lawfully made available to the general public.

Notification Timeline

South Carolina requires notification "in the most expedient time possible and without unreasonable delay." The law does not impose a specific day-count deadline.

The notification timeline must be consistent with:

• The legitimate needs of law enforcement (if law enforcement requests a delay)
• Measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. Once law enforcement determines that notification will no longer compromise the investigation, the entity must proceed with notification.

Who Must Be Notified

Affected Individuals

Every South Carolina resident whose personal identifying information was or is reasonably believed to have been acquired by an unauthorized person must receive notification.

Consumer Reporting Agencies and Consumer Protection Division (1,000+ Threshold)

When a person is required to notify 1,000 or more persons of a breach at one time, the person must also notify, without unreasonable delay, the Consumer Protection Division of the South Carolina Department of Consumer Affairs and all nationwide consumer reporting agencies (Equifax, Experian, and TransUnion) of the timing, distribution, and content of the notices.

No Attorney General Notification

South Carolina is one of the few states that does not route breach notifications to the Attorney General's office. The Department of Consumer Affairs handles enforcement and receives large-breach reports.

Methods of Notification

South Carolina permits several notification methods:

• Written notice to the affected resident
• Electronic notice, if the entity's primary method of communication with the resident is electronic
• Telephonic notice
• Substitute notice, if the cost of providing notice exceeds $250,000, the affected population exceeds 500,000 persons, or the entity does not have sufficient contact information. Substitute notice requires email notice to available addresses, conspicuous posting on the entity's website, and notification to major statewide media.

Penalties and Enforcement

South Carolina's breach notification law includes both private and public enforcement mechanisms.

Private Right of Action

South Carolina is one of the states that grants individuals the right to sue for breach notification violations:

• Knowing and willful violations: A resident injured by a violation may bring a civil action to recover damages
• Negligent violations: A resident may bring a civil action, but recovery is limited to actual damages

This distinction matters. For willful violations, plaintiffs may recover broader damages. For negligent violations, the claim is capped at provable actual losses.

Administrative Penalties

A person who knowingly and willfully violates the statute is subject to an administrative fine of $1,000 for each South Carolina resident whose information was accessible by reason of the breach. The fine is determined by the Department of Consumer Affairs.

Injunctive Relief

The Department of Consumer Affairs may also seek injunctive relief to address ongoing violations.

No AG Enforcement

Unlike most states, the South Carolina Attorney General does not have a direct enforcement role under Section 39-1-90. Enforcement authority rests with the Department of Consumer Affairs.

The Insurance Data Security Act (S.C. Code 38-99)

South Carolina enacted the Insurance Data Security Act in 2018, based on the NAIC Insurance Data Security Model Law. This separate statute applies specifically to licensees of the Department of Insurance, including insurers, agents, and other entities licensed under Title 38.

Key differences from the general breach notification law:

• 72-hour reporting: Licensees must notify the Director of Insurance within 72 hours of determining that a cybersecurity event has occurred, when certain thresholds are met
• Information security program: Licensees must implement a comprehensive written information security program
• Third-party service providers: Licensees must exercise due diligence in selecting third-party service providers and require them to implement appropriate security measures

Insurers with direct contractual relationships with affected consumers must still fulfill the consumer notification requirements of Section 39-1-90 in addition to the Insurance Data Security Act obligations.

More South Carolina Laws

• South Carolina Recording Laws
• South Carolina Recording Laws
• South Carolina Recording Laws
• South Carolina Recording Laws
• South Carolina Recording Laws
• South Carolina Recording Laws
• South Carolina Data Privacy Laws
• South Carolina Recording Laws

Sources and References

This article draws from the following official South Carolina government sources:

• S.C. Code Section 39-1-90 - Full text of South Carolina's data breach notification statute
• SC Department of Consumer Affairs: Security Breach Notices - Consumer Protection Division breach reporting portal
• S.C. Code Title 38, Chapter 99 (Insurance Data Security Act) - Insurance-specific data security and breach notification requirements
• SC Department of Insurance: Cybersecurity - Insurance Data Security Act guidance

This article provides general legal information about South Carolina data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in South Carolina for guidance specific to your situation.