Disposal Vendors must be contracted. Organizations are considered to be compliant with disposal requirements when contracting with a Vendor for the disposal of personal information. Organizations and Vendors must have measures in place for the destruction of personal information so the records are unreadable or undecipherable.

Breach reporting to the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies that compile and maintain files on a nationwide basis is required in the event a business provides notice to more than 1,000 persons, without unreasonable delay.

If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Vendors must notify Organizations immediately after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.

South Carolina passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective January 1, 2019 licensees must comply with the breach notification requirements, including Commissioner notification within 72-hours.

Willful violations involving breach notification are subject to an administrative fine in the amount of $1,000 for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs. A civil action may also be brought by a resident to recover actual damages resulting from a negligent violation, injunctive relief to enforce compliance, and recovery of attorney’s fees and costs. Violations involving the protection of social security numbers and data disposal laws can carry a penalty of liability for three times the amount of actual damages or not more than $1,000 for each incident, whichever is greater, as well as reasonable attorney’s fees and costs.