Can I ensure that my company is compliant with expanding privacy protections in South Carolina? What are the requirements?

To ensure that your company is compliant with expanding privacy protections in South Carolina, you must comply with the South Carolina Insurance Data Security Act ^[1.1]. This act establishes standards for data security and standards for the investigation of and notification to the director of a cybersecurity event applicable to licensees. The act requires a licensee to notify the director no later than seventy-two hours after determining that a cybersecurity event has occurred when either of the following criteria are met:

1. South Carolina is the licensee’s state of domicile in the case of an insurer, or the licensee’s home state in the case of a producer; or
2. The licensee reasonably believes that the nonpublic information involved is of no less than two hundred and fifty consumers residing in this State, and the cybersecurity event impacts the licensee of which notice is required to be provided to any governmental body, self-regulatory agency, or any other supervisory body pursuant to state or federal law, or has a reasonable likelihood of materially harming a consumer residing in this State or a material part of the normal operations of the licensee.

The licensee shall provide as much of the following information as possible ^[1.1]:

1. The date of the cybersecurity event;
2. A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;
3. How the cybersecurity event was discovered;
4. Whether any lost, stolen, or breached information has been recovered and if so, how this was done;
5. The identity of the source of the cybersecurity event;
6. Whether the licensee has filed a police report or has notified any regulatory, governmental or law enforcement agencies and, if so, when such notification was provided;
7. A description of the specific types of information acquired without authorization, which means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer;
8. The period during which the information system was compromised by the cybersecurity event;
9. The number of total consumers in this State affected by the cybersecurity event, in which case the licensee shall provide the best estimate in the initial report to the director and update this estimate with each subsequent report to the director pursuant to this section;
10. The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;
11. A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur;
12. A copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and
13. The name of a contact person who is both familiar with the cybersecurity event and authorized to act on behalf of the licensee.

A licensee shall comply with the notice requirements of Section 39-1-90, and other applicable law and provide a copy of the notice sent to consumers to the director when a licensee is required to notify the director ^[1.1].

To further ensure compliance with expanding privacy protections in South Carolina, you may need to comply with other regulations such as the regulations authorized by the director to administer the South Carolina Insurance Data Security Act ^[1.2]. Additionally, if your company offers electronic services for a pharmacist or pharmacy, you must comply with Section 40-43-86(F) of the South Carolina Pharmacy Practice Act ^[2.1]. However, there are exemptions from the provisions of the South Carolina Insurance Data Security Act for licensees with fewer than ten employees, including any independent contractors, and for licensees subject to the Health Insurance Portability and Accountability Act (HIPAA) that have established and maintain an information security program pursuant to such statutes, rules, regulations, procedures, or guidelines established thereunder ^[1.3].

It is important to note that compliance with federal requirements may also be necessary, such as compliance with the federal laws and regulations pertaining to the Federal Family Educational Loan Program administered by the South Carolina State Education Assistance Authority ^[3.1].

Finally, it is important to understand that documents, materials, or other information in the control or possession of the department that are furnished by a licensee or obtained by the director in an investigation or examination are confidential by law and privileged, are not subject to disclosure under the Freedom of Information Act, and are not subject to subpoena or discovery in a private or civil action ^[1.4].

Therefore, to ensure compliance with expanding privacy protections in South Carolina, your company must have a cybersecurity event response plan in place that includes the requirements of the South Carolina Insurance Data Security Act, and may need to comply with other relevant regulations and federal requirements.

Source(s):

• [1.1] Notification requirements following cybersecurity event.
• [1.2] Regulations.
• [2.1] Compliance with South Carolina Pharmacy Practice Act.
• [1.3] Exemptions from provisions of chapter.
• [3.1] Compliance with Federal Requirements.
• [1.4] Use of documents, materials, and other information furnished by licensees.

Jurisdiction

South Carolina

• Privacy