Can I ignore my obligations as a service provider with access to personal information in South Carolina? What are the requirements?

Obligations as a Service Provider with Access to Personal Information in South Carolina

As a service provider with access to personal information in South Carolina, you cannot ignore your obligations under the South Carolina Insurance Data Security Act ^[1.1]. The Act requires licensees to develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system ^[1.2].

Licensees must notify the director no later than seventy-two hours after determining that a cybersecurity event has occurred when either of the following criteria are met: (1) South Carolina is the licensee’s state of domicile in the case of an insurer, or the licensee’s home state in the case of a producer; or (2) the licensee reasonably believes that the nonpublic information involved is of no less than two hundred and fifty consumers residing in this State ^[1.1].

The licensee shall provide as much of the following information as possible: the date of the cybersecurity event, a description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any, how the cybersecurity event was discovered, whether any lost, stolen, or breached information has been recovered and if so, how this was done, the identity of the source of the cybersecurity event, whether the licensee has filed a police report or has notified any regulatory, governmental or law enforcement agencies and, if so, when such notification was provided, a description of the specific types of information acquired without authorization, the period during which the information system was compromised by the cybersecurity event, the number of total consumers in this State affected by the cybersecurity event, in which case the licensee shall provide the best estimate in the initial report to the director and update this estimate with each subsequent report to the director pursuant to this section, the results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed, a description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur, a copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event, and the name of a contact person who is both familiar with the cybersecurity event and authorized to act on behalf of the licensee ^[1.1].

Therefore, it is important to comply with the notice requirements of Section 39-1-90, and other applicable law and provide a copy of the notice sent to consumers to the director when a licensee is required to notify the director ^[1.1].

Additional Requirements

In addition to the South Carolina Insurance Data Security Act, there are other requirements that service providers with access to personal information must comply with. For example, any state agency, board, commission, institution, department, or other state entity which hosts, supports, or provides a link to page or site accessible through the world wide web must clearly display its privacy policy and the name and telephone number of the agency, board, commission, institution, department, or other state entity person responsible for administration of the policy ^[2.1].

Furthermore, a public body, as defined in Section 30-1-10(B), may not collect a social security number or any portion of it containing six digits or more from an individual unless authorized by law to do so or unless the collection of the social security number is otherwise imperative for the performance of that body’s duties and responsibilities as prescribed by law. Social security numbers collected by a public body must be relevant to the purpose for which collected and must not be collected until and unless the need for social security numbers has been clearly documented ^[2.2].

Conclusion

As a service provider with access to personal information in South Carolina, you have obligations under the South Carolina Insurance Data Security Act, including developing, implementing, and maintaining a comprehensive written information security program and notifying the director in case of a cybersecurity event. Additionally, you must comply with other requirements, such as displaying a privacy policy on your website and limiting the collection of social security numbers.

Source(s):

• [1.1] Notification requirements following cybersecurity event.
• [2.1] Display of privacy policy on web site; access to personal information disclosure; criminal justice and judicial agency exception.
• [2.2] Collection of and maintenance and disposition of records containing social security numbers by public agencies.
• [1.2] Information security program; compliance.

Jurisdiction

South Carolina

• Privacy