South Carolina Data Security & Breach Laws: What Businesses Must Know

Do you know about South Carolina data security and breach laws? Before you get called a Yankee carpetbagger or worse, face fines and regulatory scrutiny, it is worth making sure you are compliant. Data security and breach notification obligations exist in South Carolina, and failure to comply can be costly.

For many organizations, especially small and mid-sized businesses, these requirements are often overlooked until something goes wrong. Understanding them should be part of a basic risk management strategy, supported by regular cyber risk assessment activities.

South Carolina Insurance Data Security Act

On May 3, 2018, South Carolina Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law. The Act became effective on January 1, 2019. South Carolina was the first state in the nation to pass legislation modeled after the NAIC Insurance Data Security Model Law.

This law applies to insurance licensees and establishes clear expectations around documented cybersecurity controls, breach reporting, and vendor oversight.

Note: Organizations should pay close attention to requirements involving third parties and service providers.

Key Implementation Dates

January 1, 2019
The South Carolina Insurance Data Security Act became effective. Licensees must notify the Director no later than 72 hours after determining that a qualifying cybersecurity event has occurred.

July 1, 2019
Licensees were required to implement Section 38-99-20, which mandates a comprehensive Written Information Security Program (WISP).

February 15, 2020
Domestic insurers domiciled in South Carolina must submit an annual written statement certifying compliance with Section 38-99-20.

July 1, 2020
Licensees were required to comply with Section 38-99-20(F), which expands requirements for organizations that use third-party service providers to maintain, process, or access nonpublic information. This reinforces the importance of third party risk management.

Financial Identity Fraud & Identity Protection Act

The Financial Identity Fraud & Identity Protection Act is codified in Title 38, Chapter 99 of the South Carolina Code of Laws. This law applies broadly to businesses operating in South Carolina, not just insurance entities.

It requires businesses to notify customers of data breaches and notify consumer reporting agencies when more than 1,000 South Carolina residents are affected. Businesses can be fined up to $1,000 per affected resident.

This law applies to any person or business that owns or licenses personal identifying information.

Summary of Breach Notification Requirements

Protected Information
A combination of a name or identifying information plus one or more of the following:

• Social Security number

• Driver’s license number

• Financial account numbers with required access credentials

Who Is Subject to the Law
Any person or business conducting business in South Carolina that owns or licenses personal identifying information.

Notification Requirements

• Affected consumers must be notified

• Consumer reporting agencies must be notified if more than 1,000 residents are impacted

• Notification may be written, electronic, or telephonic depending on the relationship

Substitute Notice
Allowed if notification costs exceed $250,000 or affect more than 500,000 residents.

Penalties and Enforcement

• Regulatory fines up to $1,000 per affected resident

• Private lawsuits are permitted

• Actual damages, legal fees, and court costs may be recovered

The law does not apply if the compromised data was encrypted or otherwise rendered unusable.

Why These Laws Matter

South Carolina’s data security and breach laws are not theoretical. They are enforced, and breach notifications are publicly tracked. For businesses, this means documentation, response planning, and vendor oversight matter long before an incident occurs.

Organizations that regularly perform a cyber risk assessment, document their controls, and understand their notification obligations are far better positioned to respond effectively. This preparation directly supports long-term cyber resilience and reduces regulatory and financial exposure.

How tekrisq Helps

tekrisq works with organizations to turn regulatory requirements into practical, manageable actions. This includes:

• Conducting structured cyber risk assessments

• Developing Written Information Security Programs

• Supporting incident response planning

• Improving third party risk management practices

Learn more about tekrisq at https://tekrisq.com/about, explore guidance for growing organizations at https://tekrisq.com/smbs, or view resources for advisors and professionals at https://tekrisq.com/professionals.

Build Resilience Before a Breach Happens

South Carolina data security and breach laws are established and enforceable. While broader privacy legislation may evolve over time, the current requirements already demand preparation, documentation, and accountability.

If you are unsure how your organization would respond to a breach, or whether your documentation would stand up to scrutiny, starting with a cyber risk assessment is a practical first step.

If your organization needs support evaluating cyber readiness or strengthening compliance, contact our team here.