What are South Carolina Data Security & Breach Laws?

December 28, 2021

You are here:
< Back

South Carolina Data SecuritySouth Carolina Data Security & Breach Laws

Do you know about South Carolina Data Security Insurance & Breach Laws? Well, before you get called a yankee carpetbagger and a number of old terms for a shyster, read this. If you are not sure if you’re compliant, you need to find out. Data Security & Breach notification obligations exist in South Carolina, and failure to comply can be costly.

Insurance Data Security Act

On May 3, 2018, South Carolina Governor Henry McMaster signed into law the South Carolina Insurance Data Security Act (the “Act”).  The Act became effective on January 1, 2019.  South Carolina was the first state in the nation to pass this important and timely legislation which was modeled after the NAIC Insurance Data Security Model Law.

NOTE: Please review Important Info About 3rd Parties and Compliance

Key Implementation Dates:

January 1, 2019

South Carolina Insurance Data Security Act becomes effective.  This requires, among other things, that a licensee notify the Director no later than 72 hours after determining that a cybersecurity event has occurred when certain criteria are met.

July 1, 2019

Licensees must have implemented Section 38-99-20 by this date.  This section requires that licensees establish a comprehensive, written information security program (WISP) by July 1, 2019.

February 15, 2020

Beginning on this date, each insurer domiciled in South Carolina must annually submit to the Director a written statement certifying that the insurer is in compliance with the requirements set forth in Section 38-99-20. Domestic insurers required to submit a written statement will be contacted directly by the Financial Regulation & Solvency Division with further instructions prior to the February 15th deadline.

July 1, 2020

Licensees must have implemented Section 38-99-20(F) by this date.  This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.

Financial Identity Fraud & Identity Protection Act

The Act is codified in Title 38, Chapter 99 of the South Carolina Code of Laws.  The Act defines the requirements applicable to a “licensee” and establishes standards for data security and standards for the investigation of and notification to the Director of a cybersecurity event.

South Carolina’s Financial Identity Fraud and Identity Theft Protection Act requires businesses to notify their customers about a data breach and inform consumer reporting agencies when the breach affects more than 1,000 SC residents. Businesses can be fined $1,000 per consumer affected by the breach. This law applies to all companies conducting business in South Carolina.

Name of Law / Statute Financial Identity Fraud and Identity Theft Protection Act
Definition of Protected Information Combination of (1) name or other identifying info, PLUS (2) one or more of these “data” elements: SSN; driver’s license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes.
Who Is Subject to Law? Any person or business conducting business in the state who licenses or owns PI
Notification of Consumers? Yes
By what means? Written, phone, or electronic (depending on prior relationship); if >1,000 residents, must notify consumer reporting agencies
Substitute Notice Threshold? If cost of notice >$250,000 or involves >500k residents
Notification of authorities / regulators required? Yes, if >1,000 residents affected
By what means? N/A
Regulatory Fines $1,000/resident affected
Credit monitoring requirement? No
Private lawsuits allowed? Yes
Private damages cap? Actual damages + costs, fees
Regulatory actions allowed? Yes
HIPAA Compliance exemption? N/A
Other  (e.g., timeframe) Law does not apply if PI was encrypted or otherwise secured or modified to protect PI
Link to complete law South Carolina data breach law

2012 South Carolina Code of Laws
Title 39 – Trade and Commerce

Chapter 1 – GENERAL PROVISIONS

Section 39-1-90 – Breach of security of business data; notification; definitions; penalties; exception as to certain banks and financial institutions; notice to Consumer Protection Division.

Universal Citation: SC Code § 39-1-90 (2012)

(A) A person conducting business in this State, and owning or licensing computerized data or other data that includes personal identifying information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of this State whose personal identifying information that was not rendered unusable through encryption, redaction, or other methods was, or is reasonably believed to have been, acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (C), or with measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

(B) A person conducting business in this State and maintaining computerized data or other data that includes personal identifying information that the person does not own shall notify the owner or licensee of the information of a breach of the security of the data immediately following discovery, if the personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.

(C) The notification required by this section may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation. The notification required by this section must be made after the law enforcement agency determines that it no longer compromises the investigation.

(D) For purposes of this section:

(1) “Breach of the security of the system” means unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident. Good faith acquisition of personal identifying information (PII) by an employee or agent of the person for the purposes of its business is not a breach of the security of the system if the personal identifying information is not used or subject to further unauthorized disclosure.

(2) “Person” has the same meaning as in Section 37-20-110(10).

(3) “Personal identifying information” has the same meaning as “personal identifying information” in Section 16-13-510(D).

(E) The notice required by this section may be provided by:

(1) written notice;

(2) electronic notice, if the person’s primary method of communication with the individual is by electronic means or is consistent with the provisions regarding electronic records and signatures in Section 7001 of Title 15 USC and Chapter 6, Title 11 of the 1976 Code;

(3) telephonic notice; or

(4) substitute notice, if the person demonstrates that the cost of providing notice exceeds two hundred fifty thousand dollars or that the affected class of subject persons to be notified exceeds five hundred thousand or the person has insufficient contact information. Substitute notice consists of:

(a) e-mail notice when the person has an e-mail address for the subject persons;

(b) conspicuous posting of the notice on the web site page of the person, if the person maintains one; or

(c) notification to major statewide media.

(F) Notwithstanding subsection (E), a person that maintains its own notification procedures as part of an information security policy for the treatment of personal identifying information and is otherwise consistent with the timing requirements of this section is considered to be in compliance with the notification requirements of this section if the person notifies subject persons in accordance with its policies in the event of a breach of security of the system.

(G) A resident of this State who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may:

(1) institute a civil action to recover damages in case of a willful and knowing violation;

(2) institute a civil action that must be limited to actual damages resulting from a violation in case of a negligent violation of this section;

(3) seek an injunction to enforce compliance; and

(4) recover attorney’s fees and court costs, if successful.

(H) A person who knowingly and willfully violates this section is subject to an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs.

(I) This section does not apply to a bank or financial institution that is subject to and in compliance with the privacy and security provision of the Gramm-Leach-Bliley Act.

(J) A financial institution that is subject to and in compliance with the federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, as amended, is considered to be in compliance with this section.

(K) If a business provides notice to more than one thousand persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies that compile and maintain files on a nationwide basis, as defined in 15 USC Section 1681a(p), of the timing, distribution, and content of the notice.

HISTORY: 2008 Act No. 190, Section 7.A, eff July 1, 2009.