S.C. Code Ann. § 37-20-110 - 200 |
Subject Entities |
Businesses and government entities. Does NOT apply to:
|
Security Standard |
Must develop, implement, and maintain a comprehensive written information security program based on a risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the entity’s information system, commensurate with:
|
Disposal/Destruction Standard | When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or by other means, the personal identifying information to make it unreadable or undecipherable. |
Types of Data Covered | Physical or electronic data. |
Definitions |
“Personal Identifying Information” includes, but is not limited to:
|
Methods of Compliance | The South Carolina statute does not provide specific methods of compliance. Compliance with the Massachusetts information security standard is recommended. For insurance licensees, South Carolina prescribes a full information security program in the South Carolina Insurance Data Security Act. |
Enforcement |
A willful violation by a person may be liable for three times the amount of actual damages or not more than one thousand dollars ($1,000) for each incident, whichever is greater, as well as reasonable attorney’s fees and costs. A negligent violation by a person is liable for actual damages and reasonable attorney’s fees and costs. |
Last updated: January 2024