Can I use third-party collaboration tools that collect personal information in South Carolina? What are the requirements?

Using Third-Party Collaboration Tools that Collect Personal Information in South Carolina

Yes, you can use third-party collaboration tools that collect personal information in South Carolina, but you must ensure that your information security program includes safeguards to protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to a consumer ^[1.3]. You must also assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, taking into consideration threats in each relevant area of your operations, including employee training and management, information systems, and detecting, preventing, and responding to attacks, intrusions, or other systems failures ^[1.3].

It is important to note that the use of personal information by third-party service providers is subject to the same requirements as the licensee itself ^[1.3]. Therefore, you must ensure that your third-party collaboration tools comply with the same information security program requirements as your own organization.

In the event of a cybersecurity event, you must notify the director no later than seventy-two hours after determining that a cybersecurity event has occurred when either of the following criteria are met: (1) South Carolina is the licensee’s state of domicile in the case of an insurer, or the licensee’s home state in the case of a producer; or (2) the licensee reasonably believes that the nonpublic information involved is of no less than two hundred and fifty consumers residing in this State, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this State or a material part of the normal operations of the licensee ^[1.2]. You must provide as much information as possible, including a description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any ^[1.2].

Additionally, you must not knowingly obtain or use personal information obtained from a state agency, a local government, or other political subdivision of the State for commercial solicitation directed to any person in this State ^[2.2]. All state agencies, local governments, and political subdivisions of the State shall take reasonable measures to ensure that no person or private entity obtains or distributes personal information obtained from a public record for commercial solicitation ^[2.2].

Conclusion

To use third-party collaboration tools that collect personal information in South Carolina, you must ensure that your information security program includes safeguards to protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to a consumer. You must also ensure that your third-party collaboration tools comply with the same information security program requirements as your own organization. In the event of a cybersecurity event, you must notify the director and provide as much information as possible. Finally, you must not knowingly obtain or use personal information obtained from a state agency, a local government, or other political subdivision of the State for commercial solicitation directed to any person in this State.

Source(s):

• [1.2] Notification requirements following cybersecurity event.
• [2.2] Obtaining personal information from state agency, local government, or other political subdivision for commercial solicitation; penalty.
• [1.3] Information security program; compliance.

Jurisdiction

South Carolina

• Privacy