Notifications

If a business sends notice of a data security breach to 1,000 or more South Carolina residents at one time, the business must also notify the Department and the national credit reporting agencies. When sending notice to consumers, breached entities should include contact information for the Department so consumers may seek additional help from the Identity Theft Unit. When a business is required to notify the Department of a breach, the notice should include all of the following:

1. Date of the breach;
2. Date business became aware of the breach;
3. Date notice was/will be sent to affected consumers;
4. Method of consumer notification (i.e., direct mail, electronic mail, etc.)
5. Number of affected South Carolina consumers; 
6. Content of the consumer notice (i.e., copy of the letter sent to consumers); and
7. Action taken to avoid future breaches.

Breach notifications should be sent to the Department's Legal Division, P.O. Box 5757, Columbia, SC 29250 or emailed to scdca@scconsumer.gov.

For more information on the applicable laws in South Carolina, refer to the Identity Theft & The Law: A Guide for Business and Government (PDF)

Data Security Breach Reports

• 2017 Security Breach Notice Report (PDF)
• 2016 Security Breach Notice Report (PDF)
• 2015 Security Breach Notice Report (PDF)
• 2011 Security Breach Notice Report (PDF)

Data Security Breach Tips

• One in 500 million? How to Keep Your Info Safe After Marriott's Breach
• Be Alert in Wake of Facebook Breach
• Yahoo Breach Affects 3 Billion Accountholders
• Proactive Steps to Take in Wake of Massive Equifax Security Breach

Handouts

• Identity Theft & The Law: A Guide for Business and Government (PDF)
• FTC Safeguards Rule (PDF)
• FTC Information Compromise (PDF)

Other Important Information

• Financial Identity Fraud and Identity Theft Protection Act
• OCC Guidelines (PDF)
• FTC Disposal Rule (PDF)