24/7 Rapid Response - On Call Transportation Attorneys | 24/7 Data Breach Response - breachresponse@lewisbrisbois.com

South Carolina Information Security Standards Summary

S.C. Code Ann. § 37-20-110 - 200

 

Subject Entities

Businesses and government entities.

Does NOT apply to:

  1. A bank or financial institution subject to and in compliance with the GLBA;
  2. A health insurer subject to and in compliance with HIPAA; or
  3. A consumer credit-reporting agency that is subject to and in compliance with the FCRA.
Security Standard

Must develop, implement, and maintain a comprehensive written information security program based on a risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the entity’s information system, commensurate with:

  1. The size and complexity of the licensee;
  2. The nature and scope of the licensee’s activities; and
  3. The sensitivity of nonpublic information in the licensee’s possession, custody, or control.
Disposal/Destruction Standard When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or by other means, the personal identifying information to make it unreadable or undecipherable. 
Types of Data Covered Physical or electronic data.
Definitions

“Personal Identifying Information” includes, but is not limited to:

  • Social security number,
  • Driver’s license number or state identification card number;
  • Checking or savings account number;
  • Credit card or debit card number;
  • Personal identification (PIN) number or electronic identification number;
  • Digital signature;
  • Date of birth;
  • Current or former name, including first and last, middle and last, or first, middle, and last names, but only when the names are used in combination with, and linked to, other identifying information provided in this section;
  • Current or former address, but only when the address is used in combination with, and linked to, other identifying information provided in this section; or
  • Other numbers, passwords, or information which may be used to access a person’s financial resources, numbers, or information issued by governmental entity that will uniquely identify an individual or that individual’s financial resources.
“Financial Resources” includes existing money in a checking or savings account, line of credit, or otherwise; (2) a pension plan, retirement fund, annuity, or other fund that makes periodic payments; and (3) a line or credit or debt by loan, credit card, or otherwise for the purpose of obtaining goods, services, or money.
Methods of Compliance The South Carolina statute does not provide specific methods of compliance. Compliance with the Massachusetts information security standard is recommended. For insurance licensees, South Carolina prescribes a full information security program in the South Carolina Insurance Data Security Act.
Enforcement

A willful violation by a person may be liable for three times the amount of actual damages or not more than one thousand dollars ($1,000) for each incident, whichever is greater, as well as reasonable attorney’s fees and costs.

A negligent violation by a person is liable for actual damages and reasonable attorney’s fees and costs.

 

Last updated: January 2024