Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I use third-party file sharing tools that collect personal information in South Carolina? What are the requirements?

Use of third-party file sharing tools that collect personal information in South Carolina

Based on the provided context documents, South Carolina law does not explicitly prohibit the use of third-party file sharing tools that collect personal information. However, licensees are required to develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system [1.3].

Licensees are also required to identify reasonably foreseeable internal or external threats that could result in the unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information including the security of information systems and nonpublic information that are accessible to or held by third-party service providers [1.3].

Therefore, if a licensee chooses to use a third-party file sharing tool that collects personal information, they must ensure that the tool is secure and that appropriate safeguards are in place to protect the nonpublic information. The licensee must also assess the risks associated with using the tool and implement measures to mitigate those risks [1.3].

It is important to note that the South Carolina Insurance Data Security Act prohibits intentional communication or otherwise making available to the general public an individual’s social security number or a portion of it containing six digits or more or other personal identifying information [2.1]. Therefore, if the third-party file sharing tool collects social security numbers or other personal identifying information, the licensee must ensure that the information is not intentionally communicated or made available to the general public.

Notification requirements following cybersecurity event

In the event of a cybersecurity event, a licensee must notify the director no later than seventy-two hours after determining that a cybersecurity event has occurred when either of the following criteria are met: (1) South Carolina is the licensee’s state of domicile in the case of an insurer, or the licensee’s home state in the case of a producer; or (2) the licensee reasonably believes that the nonpublic information involved is of no less than two hundred and fifty consumers residing in this State [1.2].

The licensee must provide as much information as possible, including the date of the cybersecurity event, a description of how the information was exposed, lost, stolen, or breached, how the cybersecurity event was discovered, whether any lost, stolen, or breached information has been recovered, the identity of the source of the cybersecurity event, whether the licensee has filed a police report or has notified any regulatory, governmental or law enforcement agencies, a description of the specific types of information acquired without authorization, the period during which the information system was compromised by the cybersecurity event, the number of total consumers in this State affected by the cybersecurity event, the results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed, a description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur, a copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event, and the name of a contact person who is both familiar with the cybersecurity event and authorized to act on behalf of the licensee [1.2].

In the case of a cybersecurity event in a system maintained by a third-party service provider of which the licensee has become aware, the licensee shall treat such event as it would under subsection (A) [1.2].

Therefore, if a licensee chooses to use a third-party file sharing tool that collects personal information, they must ensure that appropriate safeguards are in place to protect the nonpublic information and that the tool is not used to intentionally communicate or make available to the general public an individual’s social security number or other personal identifying information. Additionally, if a cybersecurity event occurs, the licensee must notify the director and provide the necessary information as outlined in the South Carolina Insurance Data Security Act [1.2][2.1].

Requirements for using third-party file sharing tools in South Carolina

If a licensee chooses to use a third-party file sharing tool that collects personal information, they must ensure that the tool is secure and that appropriate safeguards are in place to protect the nonpublic information. The licensee must also assess the risks associated with using the tool and implement measures to mitigate those risks [1.3].

Additionally, licensees are required to identify reasonably foreseeable internal or external threats that could result in the unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information including the security of information systems and nonpublic information that are accessible to or held by third-party service providers [1.3].

Therefore, licensees must ensure that the third-party file sharing tool is secure and that appropriate safeguards are in place to protect the nonpublic information. The licensee must also assess the risks associated with using the tool and implement measures to mitigate those risks. If the third-party file sharing tool collects social security numbers or other personal identifying information, the licensee must ensure that the information is not intentionally communicated or made available to the general public [2.1].

Source(s):
Jurisdiction

South Carolina