Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I use third-party cloud storage services that collect personal information in South Carolina? What are the requirements?

Yes, you can use third-party cloud storage services that collect personal information in South Carolina, but you must comply with the South Carolina Code of Laws. Specifically, you must comply with the requirements set forth in SCCL 38-99-20, which mandates that each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system.

Requirements for using third-party cloud storage services that collect personal information in South Carolina

The information security program must be designed to protect the security and confidentiality of nonpublic information and the security of the information system, protect against threats or hazards to the security or integrity of nonpublic information and the information system, protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to a consumer. Additionally, the licensee must identify reasonably foreseeable internal or external threats that could result in the unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information including the security of information systems and nonpublic information that are accessible to or held by third-party service providers.

The licensee must assess the likelihood and potential damage of these threats, considering the sensitivity of the nonpublic information, assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, and implement information safeguards to manage the threats identified in its ongoing assessment. The licensee must also monitor, evaluate and adjust the information security program consistent with any relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to information, and the licensee’s own changing business arrangements including, but not limited to, mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

If you are a public body, as defined in Section 30-1-10(B), you must comply with the requirements set forth in SCCL 30-2-310, which mandates that a public body may not collect a social security number or any portion of it containing six digits or more from an individual unless authorized by law to do so or unless the collection of the social security number is otherwise imperative for the performance of that body’s duties and responsibilities as prescribed by law. Social security numbers collected by a public body must be relevant to the purpose for which collected and must not be collected until and unless the need for social security numbers has been clearly documented.

Additionally, a public body must not intentionally communicate or otherwise make available to the general public an individual’s social security number or a portion of it containing six digits or more or other personal identifying information. If a public body disposes of a record that contains personal identifying information of an individual, the body shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.

Notification requirements following cybersecurity event

If you are using third-party cloud storage services that collect personal information in South Carolina, you must also comply with the notification requirements set forth in SCCL 38-99-40. A licensee shall notify the director no later than seventy-two hours after determining that a cybersecurity event has occurred when either of the following criteria are met: (1) South Carolina is the licensee’s state of domicile in the case of an insurer, or the licensee’s home state in the case of a producer; or (2) the licensee reasonably believes that the nonpublic information involved is of no less than two hundred and fifty consumers residing in this State, and the cybersecurity event: (a) impacts the licensee of which notice is required to be provided to any governmental body, self-regulatory agency, or any other supervisory body pursuant to state or federal law; or (b) has a reasonable likelihood of materially harming a consumer residing in this State or a material part of the normal operations of the licensee.

The licensee shall provide as much of the following information as possible. The licensee shall provide the information in electronic form as directed by the director. The licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the director concerning the cybersecurity event. The information sent to the director must include: the date of the cybersecurity event, a description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any, how the cybersecurity event was discovered, whether any lost, stolen, or breached information has been recovered and if so, how this was done, the identity of the source of the cybersecurity event, whether the licensee has filed a police report or has notified any regulatory, governmental or law enforcement agencies and, if so, when such notification was provided, a description of the specific types of information acquired without authorization, which means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer, the period during which the information system was compromised by the cybersecurity event, the number of total consumers in this State affected by the cybersecurity event, in which case the licensee shall provide the best estimate in the initial report to the director and update this estimate with each subsequent report to the director pursuant to this section, the results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed, a description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur, a copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event, and the name of a contact person who is both familiar with the cybersecurity event and authorized to act on behalf of the licensee.

In summary, you can use third-party cloud storage services that collect personal information in South Carolina, but you must comply with the requirements set forth in SCCL 38-99-20 and SCCL 30-2-310. Additionally, you must comply with the notification requirements set forth in SCCL 38-99-40 in the event of a cybersecurity event.

Jurisdiction

South Carolina