South Carolina
|
Click here to review text of state statute (see S.C. Code §39-1-90). [For specific rules applicable to the insurance industry – click here.] |
Information Covered / Important Definitions
Information covered:
Personal information of South Carolina residents.
Definition also includes other numbers or information which may be used to access a person’s financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely identify an individual.
Important definitions:
“Security Breach” means unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction or other methods that compromise the security, confidentiality or integrity of the personal information, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.
Covered Entities* / Third Party Recipients
Subject to statute:
A person or legal entity (including cooperative or association) conducting business in South Carolina and owning or licensing computerized data or other data that includes personal identifying information.
Third party recipients:
A person conducting business in South Carolina and maintaining computerized data or other data that includes personal information that the person does not own must notify the owner or licensee of the information of a security breach immediately following discovery of the breach.
Notice Procedures & Timing / Other Obligations
Written, electronic or telephonic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede an investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
- Notification only required when illegal use of the personal data acquired has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident.
Other obligations: Any covered entity that must notify more than 1,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is encrypted, redacted or otherwise rendered unusable or unusable.
Other exemptions: Exemption for good faith acquisition of personal information by an employee or agent of a covered entity for the purposes of its business so long as personal information is not used or subject to further unauthorized disclosure.
A covered entity is deemed in compliance with the South Carolina statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the South Carolina statute.
A financial institution subject to GLBA is exempt.
Financial institutions subject to and in compliance with federal interagency guidelines are deemed in compliance with the South Carolina statute.
Notification to Regulator / Waiver
Consumer Protection Division of Department of Consumer Affairs must be notified if a single breach affects more than 1,000 residents.
A determination of no likelihood of harm:
Does not require notification to Attorney General.
Penalties
Knowing and willful violations subject to an administrative fine in the amount of $1,000 for each affected resident (amount to be decided by Department of Consumer Affairs).
Private Cause of Action / Enforcement
Private Cause of Action: Yes.
A resident of South Carolina who is injured by a violation may institute a civil action to seek an injunction and to recover damages and attorneys’ fees and costs, if successful.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
|
Click here to review text of state statute (see S.C. Code §39-1-90). |