Can I prioritize privacy compliance to gain a competitive advantage, reduce the possibility of regulatory issues, and help secure valuable partnerships in South Carolina? What are the requirements?

Yes, prioritizing privacy compliance can provide a competitive advantage, reduce the possibility of regulatory issues, and help secure valuable partnerships in South Carolina.

Requirements

To comply with privacy regulations in South Carolina, licensees must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system ^[1.2]. The information security program must be designed to protect the security and confidentiality of nonpublic information and the security of the information system, protect against threats or hazards to the security or integrity of nonpublic information and the information system, protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to a consumer ^[1.2].

Licensees must also comply with the South Carolina Insurance Data Security Act ^[1.1], which requires licensees to notify the director no later than 72 hours after determining that a cybersecurity event has occurred. The notification must include specific information such as the date of the event, a description of how the information was exposed, and the number of consumers affected. Licensees must also comply with notice requirements and provide a copy of the notice sent to consumers to the director when required to notify the director.

Licensees must comply with the South Carolina Telephone Privacy Protection Act ^[2.1], which prohibits the collection of social security numbers unless authorized by law or imperative for the performance of the public body’s duties and responsibilities. Social security numbers collected must be relevant to the purpose for which they were collected and must not be used for any other purpose.

The director is authorized to promulgate regulations necessary for the administration of the South Carolina Insurance Data Security Act ^[1.3].

Documents, materials, or other information in the control or possession of the department that are furnished by a licensee or obtained by the director in an investigation or examination are confidential by law and privileged ^[1.4].

Conclusion

To prioritize privacy compliance in South Carolina, licensees must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system. Licensees must also comply with the South Carolina Insurance Data Security Act and the South Carolina Telephone Privacy Protection Act, and the director is authorized to promulgate regulations necessary for the administration of the South Carolina Insurance Data Security Act.

Source(s):

• [1.1] Notification requirements following cybersecurity event.
• [1.2] Information security program; compliance.
• [2.1] Short title.
• [1.3] Regulations.
• [1.4] Use of documents, materials, and other information furnished by licensees.

Jurisdiction

South Carolina

• Privacy