South Carolina Code § 39-1-90
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“Breach of the security of the system” means unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident. Good faith acquisition of personal identifying information by an employee or agent of the person for the purposes of its business is not a breach of the security of the system if the personal identifying information is not used or subject to further unauthorized disclosure."
When is notice required?
Notice is required for all affected residents "...in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement...or with measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system." If over 1,000 residents are affected the Department of Consumer Affairs and consumer credit agencies must be notified. Notice may be written, electronic, telephonic, or via "substitute notice" procedures, depending on circumstances.
What are the penalties for non-compliance?
Violations have two sections of the law, § 39-1-90(G) & (H). Section G deals with private rights of action and Section H deals with administrative penalties. The are excerpted below:
"(G) A resident of this State who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may:
(1) institute a civil action to recover damages in case of a wilful and knowing violation;
(2) institute a civil action that must be limited to actual damages resulting from a violation in case of a negligent violation of this section;
(3) seek an injunction to enforce compliance; and
(4) recover attorney’s fees and court costs, if successful.
(H) A person who knowingly and wilfully violates this section is subject to an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs."