The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice.
South Carolina
Data Breach Notification Statute
Highlights
Covered Entities: A person (business or individual) or a state agency conducting business in South Carolina and owning or licensing computerized data or other data that includes personal identifying information.
Consumer Notification: Notification must be provided to any South Carolina resident whose “personal identifying information … was, or is reasonably believed to have been, acquired by an unauthorized person …”
Regulatory Notification: Notification must be provided to the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies where notice is provided “to more than one thousand persons at one time pursuant to this section …”
Notification Timeline: Notification must be provided “in the most expedient time possible and without unreasonable delay …”
Data Format: Electronic
Citations: S.C. Code §39-1-90, S.C. Code §1-11-490
More Details
Definitions:
- Breach: Unauthorized access to and acquisition of computerized data not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, or integrity of personal identifying information.
- Personal Information (PI):
- An individual’s first name / first initial and last name in combination with and linked to any one or more of the following data elements that relate to a South Carolina resident:
- Social Security number;
- Driver's license number or state identification card number issued instead;
- Financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial account.
- Other numbers or information which may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.
- An individual’s first name / first initial and last name in combination with and linked to any one or more of the following data elements that relate to a South Carolina resident:
- Medical Information: N/A
- Health Insurance Information: N/A
Safe Harbors:
- Encryption: Notification is not required if the impacted data is rendered unusable through encryption, redaction, or other methods.
- Good Faith: Good faith acquisition of personal identifying information by an employee or agent of the covered entity for the purposes of its business is not a breach if the personal identifying information is not used or subject to further unauthorized disclosure.
- Risk of Harm: Notification is not required when illegal use of the information has not occurred and is not reasonably likely to occur or there is no material risk of harm.
- Law Enforcement Delay: Notification required by this section may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation.
Direct Notice:
- Timing: Notification must be provided in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or with measures necessary to determine the scope of the breach and restore the integrity of the system.
- Format: N/A
- Content: N/A
- Method: Notification may be provided by written notice, electronic notice (if the person's primary method of communication with the individual is by electronic means or is consistent with the provisions regarding electronic records and signatures in Section 7001 of Title 15 U.S.C. and Chapter 6, Title 11 of the 1976 Code), or telephonic notice.
Substitute Notice:
An entity may provide substitute notice if it demonstrates that (1) the cost of providing direct notice exceeds $250,000, (2) the affected class of subject persons to be notified exceeds 500,000, or (3) the entity has insufficient contact information. It must include: (1) e-mail notice, where an e-mail address is available, (2) conspicuous posting of the notice on the web site page of the entity, if maintained, or (3) notification to major statewide media.
Remediation Services:
N/A
Regulatory Notice:
If an entity provides notice to more than 1,000 persons at one time pursuant to this section, the entity shall notify, without unreasonable delay, the Consumer Protection Division of the Department of Consumer Affairs.
Credit Reporting Agencies Notice:
If an entity provides notice to more than 1,000 persons at one time pursuant to this section, the entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on a nationwide basis.
Third-Party Notice:
An entity conducting business in this State and maintaining computerized data or other data that includes personal identifying information that the entity does not own shall notify the owner or licensee of the information of a breach of the security of the data immediately following discovery, if the personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.
HIPAA:
N/A
Private Action:
A South Carolina resident who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may: institute a civil action to recover damages in case of a willful and knowing violation; institute a civil action that must be limited to actual damages resulting from a violation in case of a negligent violation; seek an injunction to enforce compliance; and recover attorney's fees and court costs, if successful.
Associated Regulations:
- Insurance Data Security (S.C. Code Ann. §§ 38-99-10 to 38-99-100)
- Information Security Standard (S.C. Code Ann. § 37-20-110 – 200 and 38-99-20)
Insurance Data Security Statute
Highlights
Covered Entities (Licensees): An entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State but does not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
Security Standard: Commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system.
Consumer Notification: A licensee shall comply with the notice requirements of Section 39-1-90, and other applicable law.
Regulatory Notification: A licensee shall notify the director no later than 72 hours after determining that a cybersecurity event has occurred when either of the following criteria referenced below are met.
Notification Timeline: No later than 72 hours after determining that a cybersecurity event has occurred.
Citations: S.C. Code Ann. §§ 38-99-10 to 38-99-100
More Details
Definitions:
- Consumer: An individual including, but not limited to, an applicant, policyholder, insured, beneficiary, claimant, and certificate holder who is a resident of this State and whose nonpublic information is in a licensee's possession, custody, or control.
- Cybersecurity Event: An event resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system. The term "cybersecurity event" does not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process or key is not also acquired, released or used without authorization. The term "cybersecurity event" also does not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
- Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State but does not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
- Nonpublic Information: Information that is not publicly available information and is:
- Business-related information of a licensee the tampering with which, or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee;
- Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify such consumer, in combination with any one (1) or more of the following data elements:
- Social Security number;
- Driver’s license number or nondriver identification card number;
- Account number, credit or debit card number;
- Security code, access code, or password that would permit access to a consumer's financial account; or
- Biometric records.
- Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer and that relates to:
- The past, present, or future physical, mental or behavioral health or condition of a consumer or a member of the consumer's family;
- The provision of health care to any consumer; or
- The payment for the provision of health care to any consumer.
Regulatory Notice:
A licensee shall notify the director no later than 72 hours after determining that a cybersecurity event has occurred when either of the following criteria are met:
- South Carolina is the licensee's state of domicile in the case of an insurer, or the licensee's home state in the case of a producer; or
- The licensee reasonably believes that the nonpublic information involved is of no less than 250 consumers residing in this State, and the cybersecurity event:
- impacts the licensee of which notice is required to be provided to any governmental body, self-regulatory agency, or any other supervisory body pursuant to state or federal law; or
- Has a reasonable likelihood of materially harming a consumer residing in this State or a material part of the normal operations of the licensee.
Content Requirements:
The licensee shall provide as much of the following information as possible. The licensee shall provide the information in electronic form as directed by the director. The licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the director concerning the cybersecurity event. The information sent to the director must include:
- The date of the cybersecurity event.
- A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any.
- How the cybersecurity event was discovered.
- Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
- The identity of the source of the cybersecurity event.
- Whether the licensee has filed a police report or has notified any regulatory, governmental or law enforcement agencies and, if so, when such notification was provided.
- A description of the specific types of information acquired without authorization, which means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.
- The period during which the information system was compromised by the cybersecurity event.
- The number of total consumers in this State affected by the cybersecurity event, in which case the licensee shall provide the best estimate in the initial report to the director and update this estimate with each subsequent report to the director pursuant to this section.
- The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.
- A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
- A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event.
- The name of a contact person who is both familiar with the cybersecurity event and authorized to act on behalf of the licensee.
Third-Party Notice Requirements:
In the case of a cybersecurity event in a system maintained by a third-party service provider of which the licensee has become aware, the licensee shall treat such event as it would under subsection (A).
Penalties:
The director has the power and authority to examine and investigate into the affairs of a licensee to determine whether the licensee is engaged in conduct in violation of this chapter. This power is in addition to the powers which the director has under this title. An investigation or examination must be conducted pursuant to Section 38-13-10, et seq. When the director has reason to believe that a licensee is engaged in conduct in this State which violates the provisions of this chapter, the director may take necessary and appropriate action to enforce the provisions of this chapter.
Associated Regulations:
N/A
Information Security Standard
Highlights
Covered Entities: Businesses licensed in South Carolina
First Party Security Standard: Commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system.
Third Party Security Standard: N/A
Disposal/Destruction Standard: When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.
Data Format: Electronic and Paper.
Citations: S.C. Code Ann. § 37-20-110 - 200; S.C. Code Ann. § 38-99-20
More Details
Definitions:
- Personal Information (PI): The first name or first initial and last name in combination with and linked to one (1) or more of the following data elements that relate to a resident of South Carolina, when the data elements are neither encrypted nor redacted:
- Social Security number;
- Driver's license number or state identification card number issued instead of a driver's license;
- Financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial account; or
- Other numbers or information which may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.
PI does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.
Methods of Compliance:
The statute does not define what constitutes “reasonable security procedures and practices …” However, for insurance licensees, South Carolina prescribes a full information security program in the South Carolina Insurance Data Security Act.
Exclusions:
- Health Care: These requirements do not apply to a health insurer that is subject to and in compliance with the standards of HIPAA.
- Financial: These requirements do not apply to a bank or financial institution that is subject to and in compliance with the privacy and security provision of the Gramm-Leach-Bliley Act
- Other: These requirements do not apply to a consumer credit-reporting agency that is subject to and in compliance with the federal Fair Credit Reporting Act.
Enforcement/Penalties:
A business that negligently violates this chapter is liable for the greater of actual damages or $1,000 for each incident, as well as reasonable attorney's fees and costs. A business that knowingly and willfully violates a provision of this chapter is liable for three times the amount of actual damages or $3,000 for each incident, whichever is greater, as well as reasonable attorney's fees and costs.
Associated Regulations:
N/A