Can I use third-party marketing automation tools that collect personal information in South Carolina? What are the requirements?

Based on the information provided, it is unclear whether the use of third-party marketing automation tools that collect personal information is authorized by law or imperative for the performance of your duties and responsibilities. However, if you use third-party service providers, you must identify reasonably foreseeable internal or external threats that could result in the unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information including the security of information systems and nonpublic information that are accessible to or held by third-party service providers ^[1.3]. You must assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, taking into consideration threats in each relevant area of the licensee’s operations, including employee training and management, information systems, and detecting, preventing, and responding to attacks, intrusions, or other systems failures ^[1.3].

Additionally, if you collect personal information from South Carolina residents, you must comply with the notification requirements following a cybersecurity event ^[1.2]. You must notify the director no later than seventy-two hours after determining that a cybersecurity event has occurred when either of the following criteria are met: (1) South Carolina is the licensee’s state of domicile in the case of an insurer, or the licensee’s home state in the case of a producer; or (2) the licensee reasonably believes that the nonpublic information involved is of no less than two hundred and fifty consumers residing in this State ^[1.2].

Furthermore, you must ensure that the caller identification information you display is accurate and not misleading, false, or inaccurate ^[3.1]. You may not display a South Carolina area code on the recipient’s caller identification system unless you maintain a physical presence in the State ^[3.1].

It is recommended that you consult with legal counsel to determine the specific requirements and restrictions that apply to your situation.

Source(s):

• [1.2] Notification requirements following cybersecurity event.
• [3.1] Accuracy of caller identification information required; exceptions.
• [1.3] Information security program; compliance.

Jurisdiction

South Carolina

• Privacy