Can I avoid having a data breach response plan in South Carolina? What are the requirements?

Data Breach Response Plan Requirements in South Carolina

In South Carolina, licensees are required to develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system ^[1.5]. As part of this information security program, a licensee must establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s business or operations ^[1.5].

Therefore, licensees in South Carolina are required to have a data breach response plan as part of their information security program. Failure to comply with these requirements may result in penalties and fines ^[1.1].

In addition, if a licensee experiences a cybersecurity event that meets certain criteria, they are required to notify the director no later than seventy-two hours after determining that a cybersecurity event has occurred ^[1.1]. The licensee shall provide as much information as possible, including a description of how the information was exposed, lost, stolen, or breached, the identity of the source of the cybersecurity event, and a description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur ^[1.1].

However, it is important to note that the South Carolina Insurance Data Security Act does not create any duty or liability for a provider of communication services for the transmission of voice, data, or other information over its network ^[1.2].

Furthermore, certain exemptions from the provisions of the South Carolina Insurance Data Security Act exist, including for licensees with fewer than ten employees, an employee, agent, representative, or designee of a licensee who is also a licensee, and a licensee subject to the Health Insurance Portability and Accountability Act (HIPAA) that has established and maintains an information security program pursuant to such statutes, rules, regulations, procedures, or guidelines established thereunder ^[1.4].

Therefore, while certain exemptions exist, it is generally required for licensees in South Carolina to have a data breach response plan as part of their information security program.

Source(s):

• [1.1] Notification requirements following cybersecurity event.
• [1.2] No creation of liability.
• [1.4] Exemptions from provisions of chapter.
• [1.5] Information security program; compliance.

Jurisdiction

South Carolina

• Privacy