South Carolina became the first state to pass cyber security legislation for insurance companies in 2018. The South Carolina Insurance Data Security Act was passed on May 3rd, 2018 and was modeled after the NAIC Insurance Data Security Model Law. Today we will dive deeper into the law and try to understand the ramifications of this new law.
Who Is Impacted?
This law applies to any “Licensee” operating in South Carolina. As defined by the law, a licensee is:
“….a person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State but does not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction. “
However, there are a few exceptions to who is required to comply:
- A Licensee with less than 10 employees, including contractors,
- Anyone that is an employee, agent, or representative of a licensee that is also a licensee,
- A licensee subject to the Health Insurance Portability and Accountability Act (must submit written statement of certification).
What Are The Key Dates?
- January 1st, 2019: South Carolina Insurance Data Security Act became effective.
- July 1st, 2019: Licensees were required have implemented a comprehensive, written security program as defined in Section 38-99-20 by this date.
- February 15th, 2020: Starting on this date, all Licensees must submit a certification to the South Carolina Director of Insurance .
- July 1st, 2020: Licensees are required to implement strict controls around selecting and retaining third-party vendors based on their information technology programs, as defined in Section 38-99-20F.
What Are The Key Elements?
The overall requirements are generally in-line with other compliance standards, such as HIPAA and NYDFS. Below are the highlights and a few of the nuances specific to the SC Insurance Data Security Act:
- Develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to protect nonpublic information and the licensee’s information system;
- Perform a risk assessment that includes determining the appropriateness of implementing protections such as multi-factor authentication, regular penetration testing, and encrypting data at rest;
- Require third-party service providers to implement security measures to protect and secure any information systems and personal information by July 1, 2020;
- Report data breaches within 72 hours of the event occurring if it affected 250 or more South Carolina residents; and
- Establish minimum requirements for boards of directors to oversee the development and implementation of the cyber security program, such as requiring the licensee’s executive management to report in writing to the board of directors the overall status of the information security program.
We believe this is a great first step and that many states should follow the lead set by South Carolina. Ohio and Michigan have enacted data security laws for insurers over the past year. Mississippi’s governor approved a measure earlier this year, and Connecticut, New Hampshire and two other states have bills moving in their legislatures. Financial firms, including insurance companies, are highly targeted by attackers due to the types of sensitive data they retain and this law will hopefully help to safeguard this information. While this law does not remove the threat of a breach, the controls it mandates can help mitigate certain threats, reduce an organization’s overall risk profile, and ensure that the proper authorities are being alerted when a breach occurs. Stay tuned for future updates as to how this requirement will be enforced or if other states will begin adopting similar laws.