Global Data Privacy Guide |
|
USA, South Carolina |
|
(United States)
Firm
Wyche
Contributors
Meliah Jefferson |
|
What is the key legislation? | Like many states, South Carolina does not have a single comprehensive legislative framework governing data privacy. In addition to Federal laws governing data privacy, laws regulating data privacy and data security in South Carolina are found in multiple statutes including statutes regulating state agencies (S.C. Code Ann. § 1-11-490), trade and commerce (S.C. Code Ann. § 39-1-90), the Financial Identity Fraud and Identity Theft Protection Act (S.C. Code Ann. § 37-20-110, et seq.), and the South Carolina Unfair Trade Practices Act (S.C. Code Ann. § 39-5-10, et seq.). South Carolina also regulates the privacy practices of specific industries through statutes like the South Carolina Insurance Data Security Act (S.C. Code Ann. § 38-99-10, et seq.), the South Carolina Department of Education Data Use and Governance Policy (S.C. Code Ann. § 59-1-490), the Family Privacy Protection Act (S.C. Code Ann. § 30-2-10, et seq.); and the Physicians’ Patient Records Act (S.C. Code Ann. § 44-115-10, et seq.), among others. |
What data is protected? | South Carolina laws protect personally identifiable information (“PII”). PII includes an individual resident’s first name or first initial and last name when combined with or linked to any of the following: social security number; state-issued license or identification card number; financial account or credit/debit card number with any required security code; or other information that may be used to access the person’s financial information. It does not apply when the data elements are encrypted or redacted and excludes information lawfully obtained from publicly available information or records. In addition to PII, the Insurance Data Security Act also protects other “non-public information” including business-related information which would cause a material adverse impact if tampered with or improperly disclosed; individual healthcare information. |
Who is subject to privacy obligations? | Any person or entity conducting business in the State, and owning or licensing computerized data or other data that includes PII is subject to data privacy and security obligations pursuant to the Financial Identity Fraud and Identity Theft Protection Act. Additionally, any person or entity who qualifies as a licensee by the Department of Insurance is subject to data privacy and security obligations pursuant to the Insurance Data Security Act. Governmental entities, educational institutions and providers, and physicians and health care providers, and others in specific industries regulated by the state are also subject to data privacy obligations. |
What are the principles applicable to personal data processing? | Other than the laws noted in section 1, South Carolina does not have any specific legislation regulating the collection of personal data. |
How is the processing of personal data regulated? | Other than the laws noted in section 1, South Carolina has laws, rules, and regulations that limit public disclosure of a resident’s PII by requiring certain redactions in publicly filed documents or limiting the manner in which identifiers, such as social security numbers, may be displaced on printed documents. |
How are storage, security and retention of personal data regulated? | Other than the laws noted in section 1, South Carolina consumer protection laws also require businesses to dispose of records containing PII by shredding, erasing, or other means that renders the PII unreadable or undecipherable. In certain cases, South Carolina law also requires that PII be removed or sanitized from technology hardware and storage media before it is sold or transferred. |
What are the data subjects' rights? | While nothing prohibits an individual from requesting modification or correction of PII, unlike the GDPR, there is no law specifically governing rights of access to or correction of personal data. |
Are there restrictions on cross-border data transfers? | N/A |
Are there any notification requirements for data breaches? | The Financial Identity Fraud and Identity Theft Protection Act and other statutes require a person or entity subject to its reach to issue notifications of a breach without unreasonable delay following the discovery or notification of a breach. The notice must be given to any resident whose PII was, or is reasonably believed to have been, acquired by an unauthorized person. The notice may be delivered in writing, by telephone, or by electronic means but only when that is your primary means of communication with the impacted individual or when consistent with the E-Sign Act, 15 U.S.C. § 7001. Substitute notice is allowed if you can show that the cost of providing notice exceeds USD $250,000, or that the number affected residents exceed 500,000, or you have insufficient contact information. Substitute notice requires all of the following: email notice when you have a verified email address; conspicuous posting of the notice on your website; and notification to major statewide media outlets. If the data breach impacts more than 1,000 residents, you must also notify the Consumer Protection Division of the Department of Consumer Affairs and all national consumer reporting agencies. You may delay notification in cases where a law enforcement agency determines that the notification will interfere with a criminal investigation but must make the required notification after the law enforcement agency determines that such notification no longer impedes the investigation. Governmental entities are similarly regulated by South Carolina law. Additionally, the Insurance Data Security Act requires a licensee to notify the Department of Insurance of a data breach if it is an “an event resulting in unauthorized access to, or the disruption or misuse of an information system or information stored on an information system.” |
Who is the privacy regulator? | The Department of Consumer Affairs may levy an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of a data breach where it determines that a person or entity knowingly and willfully violates the state’s notification requirements under the Financial Identity Fraud and Identity Theft Protection Act. While the South Carolina Unfair Trade Practices Act does not expressly address data privacy, its provisions do prohibit unfair or deceptive acts in commerce. If this is construed to include acts related to data privacy, the Attorney General may bring an enforcement action. The Director of the Department of Insurance has the power and authority to enforce the provisions of the South Carolina Department of Insurance Data Security Act. |
What are the consequences of a privacy breach? | A resident may bring a civil action to recover damages for a willful and knowing violation of South Carolina’s data breach notification requirements. If the violation was merely negligent, the resident is limited to actual damages. In addition to damages, the resident may seek injunctive relief and attorney’s fees. Treble damages are available for those violations deemed to fall within the Unfair Trade Practices Act. The Department of Consumer Affairs may levy an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of a data breach where it determines that a person knowingly and willfully violates the state’s notification requirements under the Financial Identity Fraud and Identity Theft Protection Act. The Attorney General may bring an action under the Unfair Trade Practices Act seeking injunctive relief or a civil penalty, which varies in amount depending on the type of violation. Under the South Carolina Department of Insurance Data Security Act, the Director of the Department of Insurance may suspend the licensee’s authority to conduct activity in the State or seek penalties ranging from USD $2,500 to $30,000. The higher penalties are levied for willful conduct and on those parties categorized as an insurer or a health maintenance organization. |
How is electronic marketing regulated? | Other than the laws noted in section 1, South Carolina does not have a specific law regulating electronic marketing. |
Are there any recent developments or expected reforms? | The South Carolina Department of Insurance Data Security Act went into effect on January 1, 2019. The law is focused on the insurance industry and applies to South Carolina licensees, which includes individuals and entities operating as insurers, agents and other licensed entities regulated by the South Carolina Department of Insurance. It requires licensees to establish written policies and procedures to manage and secure personal information from cybersecurity threats and to establish a written incident response plan to address the occurrence of a cybersecurity event. It also sets forth requirements for notification of a breach. Although this law is specifically related to the insurance industry, any person handling personal information should look to this law for guidance on data privacy and security obligations in South Carolina. |
Global Data Privacy Guide
Like many states, South Carolina does not have a single comprehensive legislative framework governing data privacy. In addition to Federal laws governing data privacy, laws regulating data privacy and data security in South Carolina are found in multiple statutes including statutes regulating state agencies (S.C. Code Ann. § 1-11-490), trade and commerce (S.C. Code Ann. § 39-1-90), the Financial Identity Fraud and Identity Theft Protection Act (S.C. Code Ann. § 37-20-110, et seq.), and the South Carolina Unfair Trade Practices Act (S.C. Code Ann. § 39-5-10, et seq.). South Carolina also regulates the privacy practices of specific industries through statutes like the South Carolina Insurance Data Security Act (S.C. Code Ann. § 38-99-10, et seq.), the South Carolina Department of Education Data Use and Governance Policy (S.C. Code Ann. § 59-1-490), the Family Privacy Protection Act (S.C. Code Ann. § 30-2-10, et seq.); and the Physicians’ Patient Records Act (S.C. Code Ann. § 44-115-10, et seq.), among others.
South Carolina laws protect personally identifiable information (“PII”). PII includes an individual resident’s first name or first initial and last name when combined with or linked to any of the following: social security number; state-issued license or identification card number; financial account or credit/debit card number with any required security code; or other information that may be used to access the person’s financial information. It does not apply when the data elements are encrypted or redacted and excludes information lawfully obtained from publicly available information or records. In addition to PII, the Insurance Data Security Act also protects other “non-public information” including business-related information which would cause a material adverse impact if tampered with or improperly disclosed; individual healthcare information.
Any person or entity conducting business in the State, and owning or licensing computerized data or other data that includes PII is subject to data privacy and security obligations pursuant to the Financial Identity Fraud and Identity Theft Protection Act. Additionally, any person or entity who qualifies as a licensee by the Department of Insurance is subject to data privacy and security obligations pursuant to the Insurance Data Security Act. Governmental entities, educational institutions and providers, and physicians and health care providers, and others in specific industries regulated by the state are also subject to data privacy obligations.
Other than the laws noted in section 1, South Carolina does not have any specific legislation regulating the collection of personal data.
Other than the laws noted in section 1, South Carolina has laws, rules, and regulations that limit public disclosure of a resident’s PII by requiring certain redactions in publicly filed documents or limiting the manner in which identifiers, such as social security numbers, may be displaced on printed documents.
Other than the laws noted in section 1, South Carolina consumer protection laws also require businesses to dispose of records containing PII by shredding, erasing, or other means that renders the PII unreadable or undecipherable. In certain cases, South Carolina law also requires that PII be removed or sanitized from technology hardware and storage media before it is sold or transferred.
While nothing prohibits an individual from requesting modification or correction of PII, unlike the GDPR, there is no law specifically governing rights of access to or correction of personal data.
N/A
The Financial Identity Fraud and Identity Theft Protection Act and other statutes require a person or entity subject to its reach to issue notifications of a breach without unreasonable delay following the discovery or notification of a breach. The notice must be given to any resident whose PII was, or is reasonably believed to have been, acquired by an unauthorized person. The notice may be delivered in writing, by telephone, or by electronic means but only when that is your primary means of communication with the impacted individual or when consistent with the E-Sign Act, 15 U.S.C. § 7001. Substitute notice is allowed if you can show that the cost of providing notice exceeds USD $250,000, or that the number affected residents exceed 500,000, or you have insufficient contact information. Substitute notice requires all of the following: email notice when you have a verified email address; conspicuous posting of the notice on your website; and notification to major statewide media outlets. If the data breach impacts more than 1,000 residents, you must also notify the Consumer Protection Division of the Department of Consumer Affairs and all national consumer reporting agencies. You may delay notification in cases where a law enforcement agency determines that the notification will interfere with a criminal investigation but must make the required notification after the law enforcement agency determines that such notification no longer impedes the investigation. Governmental entities are similarly regulated by South Carolina law.
Additionally, the Insurance Data Security Act requires a licensee to notify the Department of Insurance of a data breach if it is an “an event resulting in unauthorized access to, or the disruption or misuse of an information system or information stored on an information system.”
The Department of Consumer Affairs may levy an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of a data breach where it determines that a person or entity knowingly and willfully violates the state’s notification requirements under the Financial Identity Fraud and Identity Theft Protection Act.
While the South Carolina Unfair Trade Practices Act does not expressly address data privacy, its provisions do prohibit unfair or deceptive acts in commerce. If this is construed to include acts related to data privacy, the Attorney General may bring an enforcement action.
The Director of the Department of Insurance has the power and authority to enforce the provisions of the South Carolina Department of Insurance Data Security Act.
A resident may bring a civil action to recover damages for a willful and knowing violation of South Carolina’s data breach notification requirements. If the violation was merely negligent, the resident is limited to actual damages. In addition to damages, the resident may seek injunctive relief and attorney’s fees. Treble damages are available for those violations deemed to fall within the Unfair Trade Practices Act.
The Department of Consumer Affairs may levy an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of a data breach where it determines that a person knowingly and willfully violates the state’s notification requirements under the Financial Identity Fraud and Identity Theft Protection Act.
The Attorney General may bring an action under the Unfair Trade Practices Act seeking injunctive relief or a civil penalty, which varies in amount depending on the type of violation.
Under the South Carolina Department of Insurance Data Security Act, the Director of the Department of Insurance may suspend the licensee’s authority to conduct activity in the State or seek penalties ranging from USD $2,500 to $30,000. The higher penalties are levied for willful conduct and on those parties categorized as an insurer or a health maintenance organization.
Other than the laws noted in section 1, South Carolina does not have a specific law regulating electronic marketing.
The South Carolina Department of Insurance Data Security Act went into effect on January 1, 2019. The law is focused on the insurance industry and applies to South Carolina licensees, which includes individuals and entities operating as insurers, agents and other licensed entities regulated by the South Carolina Department of Insurance. It requires licensees to establish written policies and procedures to manage and secure personal information from cybersecurity threats and to establish a written incident response plan to address the occurrence of a cybersecurity event. It also sets forth requirements for notification of a breach. Although this law is specifically related to the insurance industry, any person handling personal information should look to this law for guidance on data privacy and security obligations in South Carolina.