South Carolina Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

South Carolina's cybersecurity regulatory environment has evolved substantially since the 2012 Department of Revenue breach exposed 3.6 million Social Security numbers and forced the state to confront fundamental gaps in data protection. That incident, one of the worst government data breaches in U.S. history, served as a catalyst for legislative action that has steadily raised the compliance bar for businesses operating in the Palmetto State. Today, South Carolina businesses must navigate a combination of state-specific statutes, industry regulations, and federal frameworks that together create a layered set of obligations.

Unlike states such as California or Virginia that have enacted comprehensive consumer privacy laws, South Carolina's approach is built around sector-specific statutes and a foundational breach notification law. The history of data breaches in South Carolina demonstrates why these laws exist and why compliance is not merely a legal checkbox but a practical necessity for organizations that handle sensitive personal, financial, or health information.

South Carolina Data Privacy and Cybersecurity Laws

South Carolina Breach Notification Law (SC Code 39-1-90)

South Carolina's primary breach notification statute is codified at SC Code Section 39-1-90, part of the state's broader consumer protection framework. The law requires any person or business conducting business in South Carolina that owns or licenses computerized data containing personal identifying information to disclose a breach to affected residents. Key provisions include:

• Notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement

• Personal identifying information is defined as a person's first name or initial and last name combined with a Social Security number, driver's license number, state ID number, financial account number with access codes, or other data permitting access to financial accounts

• If the breached entity determines that misuse of the information has occurred or is reasonably likely to occur, notification is required

• When notification is required for more than 1,000 residents, the entity must also notify the major consumer reporting agencies

• The South Carolina Attorney General and the Department of Consumer Affairs must also be notified of breaches

The law provides a safe harbor for encrypted data — if the breached information was encrypted and the encryption key was not also compromised, notification is not required. This provision directly incentivizes encryption at rest and played a role in post-SCDOR reforms across state agencies.

South Carolina Identity Theft Protection Act

Enacted in 2008 and codified in Title 37, Chapter 20 of the South Carolina Code of Laws, the Identity Theft Protection Act strengthened protections around Social Security numbers and other sensitive identifiers. The law restricts how businesses can collect, use, and display Social Security numbers, prohibiting practices such as printing SSNs on mailed documents, requiring SSNs for website access (unless no alternative identifier is available), and embedding SSNs in barcodes or magnetic strips on identification cards. The Act also established requirements for businesses to properly destroy records containing personal identifying information when those records are no longer needed.

South Carolina Insurance Data Security Act (Act 171)

Act 171, signed into law in May 2018 and effective January 1, 2019, is South Carolina's implementation of the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law. South Carolina was the first state in the nation to adopt this model law, making it a leader in insurance-sector cybersecurity regulation. Act 171 applies to all licensees of the South Carolina Department of Insurance, including insurance companies, producers, adjusters, and other licensed entities. Key requirements include:

• Information Security Program — licensees must develop, implement, and maintain a comprehensive written information security program based on a risk assessment

• Risk Assessment — licensees must conduct periodic risk assessments that identify reasonably foreseeable threats, assess the likelihood and potential damage of those threats, and evaluate the sufficiency of existing safeguards

• Incident Response Plan — licensees must establish a written incident response plan designed to promptly respond to and recover from cybersecurity events

• Third-Party Service Provider Oversight — licensees must exercise due diligence in selecting third-party service providers and require them to implement appropriate security measures

• Notification to the Director of Insurance — licensees must notify the Director of the South Carolina Department of Insurance within 72 hours of determining that a cybersecurity event has occurred that affects nonpublic information

Act 171 includes size-based exemptions. Licensees with fewer than 10 employees are exempt from certain provisions, including the requirement to maintain a formal written information security program, though they are still subject to breach notification requirements. Licensees that are subject to and compliant with HIPAA are deemed to be in compliance with portions of Act 171 relating to the information security program.

South Carolina Financial Information Privacy Act

Codified in SC Code Title 37, Chapter 20, Article 3, this law addresses the sharing of financial information by financial institutions operating in South Carolina. It aligns with the federal Gramm-Leach-Bliley Act (GLBA) requirements but adds state-level enforcement mechanisms. Financial institutions must provide customers with privacy notices explaining their information-sharing practices and offer opt-out rights for sharing with nonaffiliated third parties.

Federal Compliance Frameworks Affecting South Carolina Businesses

HIPAA and Healthcare Compliance

South Carolina's healthcare sector, anchored by institutions like the Medical University of South Carolina (MUSC), Prisma Health, and the Ralph H. Johnson VA Medical Center, must comply with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule. Given the history of healthcare-related breaches in South Carolina, organizations should treat HIPAA as a floor rather than a ceiling for their security programs.

CMMC and Defense Contractor Requirements

South Carolina's significant military presence — including Joint Base Charleston, Shaw Air Force Base, Marine Corps Recruit Depot Parris Island, and Fort Jackson (the U.S. Army's largest initial entry training center) — means hundreds of defense contractors and subcontractors across the state must comply with the Cybersecurity Maturity Model Certification (CMMC) framework. CMMC 2.0 requires defense contractors to implement security controls from NIST SP 800-171 and undergo third-party assessment depending on the sensitivity of the controlled unclassified information they handle. The South Carolina threat landscape is heavily influenced by this defense concentration.

PCI DSS for Tourism and Hospitality

South Carolina's tourism industry generates over $28 billion annually, with heavy concentrations along the Grand Strand (Myrtle Beach), Charleston, and Hilton Head Island. Businesses processing credit card payments must comply with PCI DSS requirements, which include maintaining secure networks, protecting cardholder data, implementing access controls, and conducting regular vulnerability testing. The seasonal surge in transaction volumes during peak tourist months creates additional risk windows that businesses must manage.

Compliance Steps for South Carolina Businesses

Building a compliance program that addresses South Carolina's overlapping requirements does not require separate initiatives for each law. A structured approach can satisfy multiple obligations simultaneously:

• Conduct a comprehensive risk assessment — identify what personal, financial, health, and business data you collect, where it resides, who has access, and what threats it faces. This single exercise satisfies requirements under Act 171, HIPAA, CMMC, and general security best practices

• Implement encryption at rest and in transit — encryption provides a safe harbor under SC Code 39-1-90 and is required or strongly encouraged under every framework applicable to South Carolina businesses

• Establish a written information security program — document your security policies, controls, and procedures. This is explicitly required under Act 171 for insurance licensees and effectively required for HIPAA, CMMC, and PCI DSS compliance

• Develop and test an incident response plan — your plan should include specific notification timelines (72 hours for Act 171, without unreasonable delay for SC Code 39-1-90) and designate responsible personnel

• Vet third-party service providers — Act 171 explicitly requires oversight of service providers, and supply-chain risk is a persistent theme across South Carolina incidents

• Train employees on security awareness — phishing was the entry point for the SCDOR breach and remains the most common initial access vector in South Carolina incidents

• Maintain records of compliance activities — document your risk assessments, training sessions, policy updates, and incident response exercises for regulatory review

Many South Carolina businesses, particularly small and midsize organizations, find that partnering with a managed IT services provider is the most practical way to maintain continuous compliance without building a full in-house security team.

Penalties for Noncompliance

Penalties vary by statute. Under SC Code 39-1-90, the South Carolina Attorney General can bring enforcement actions for failure to provide required breach notifications. The Identity Theft Protection Act includes civil penalties for violations related to the mishandling of Social Security numbers. Act 171 grants the Director of the Department of Insurance authority to impose penalties on licensees that fail to comply with the information security program, risk assessment, or notification requirements. In practice, the reputational and operational costs of a breach often dwarf the direct regulatory penalties, as the SCDOR incident demonstrated with its $20 million-plus price tag.

Frequently Asked Questions

Does South Carolina have a comprehensive consumer privacy law like California's CCPA?

No. As of 2025, South Carolina has not enacted a comprehensive consumer data privacy law comparable to the CCPA or Virginia's CDPA. South Carolina's data protection framework is built around sector-specific statutes including the breach notification law (SC Code 39-1-90), the Identity Theft Protection Act, and the Insurance Data Security Act (Act 171). Businesses should monitor the General Assembly for future privacy legislation, as several states have enacted comprehensive laws in recent years.

What is the breach notification deadline under South Carolina law?

SC Code 39-1-90 requires notification in the most expedient time possible and without unreasonable delay. Unlike some states that specify a fixed number of days (such as Texas's 60-day requirement), South Carolina uses a reasonableness standard. However, the Insurance Data Security Act (Act 171) requires notification to the Director of the Department of Insurance within 72 hours of determining a cybersecurity event has occurred.

Who enforces South Carolina's data privacy laws?

The South Carolina Attorney General has enforcement authority over the breach notification law and the Identity Theft Protection Act. The South Carolina Department of Insurance enforces Act 171 for insurance licensees. The Department of Consumer Affairs also plays a role in consumer protection related to data breaches. Federal agencies including HHS Office for Civil Rights (for HIPAA) and the Department of Defense (for CMMC) enforce their respective frameworks independently.

Is South Carolina's Insurance Data Security Act based on a national model?

Yes. Act 171 is based on the NAIC Insurance Data Security Model Law adopted by the National Association of Insurance Commissioners in 2017. South Carolina was the first state in the nation to enact legislation based on this model, with the law signed in May 2018 and effective January 1, 2019. The NAIC model provides a uniform framework for insurance-sector cybersecurity requirements, and many other states have since adopted similar legislation.

Do small businesses in South Carolina need to comply with Act 171?

Act 171 applies to all licensees of the South Carolina Department of Insurance. However, it includes size-based exemptions: licensees with fewer than 10 employees are exempt from certain requirements, including the formal written information security program, though they remain subject to breach notification provisions. Businesses that are not insurance licensees are not subject to Act 171 at all, though they must still comply with the general breach notification law and other applicable statutes.

What data qualifies as personal identifying information under South Carolina law?

Under SC Code 39-1-90, personal identifying information includes a person's first name or first initial and last name in combination with one or more of the following: Social Security number, driver's license or state identification card number, financial account number (or credit/debit card number) combined with any required security code or access code, or other numbers or information that may be used to access a person's financial accounts. The information must be unencrypted or in a form accessible to unauthorized parties to trigger notification requirements.