The South Carolina Insurance Data Security Act (the “Act”) took effect on January 1, 2019. The bill, which largely resembles the New York Department of Financial Services cybersecurity regulations, is based on the National Association of Insurance Commissioners (“NAIC”) Insurance Data Security Model Law and is intended to establish minimum data security, breach notification, and incident response standards for insurance entities operating in South Carolina. This post provides an overview of some of the key provisions.
The Act requires “licensees” to develop, implement, and maintain a comprehensive risk-based written information security program (“WISP”), which includes administrative, technical, and physical safeguards. A licensee is a person or entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of South Carolina.
The WISP must be designed to protect the confidentiality, integrity, and security of nonpublic information and the licensee’s information system; protect against unauthorized access to or use of nonpublic information; minimize the likelihood of harm to a consumer; and define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when the nonpublic information is no longer needed. Nonpublic information – defined rather expansively – includes licensee’s business-related information which, if disclosed, accessed, or used without authorization, would materially harm the licensee; any information about a consumer that, in combination with specific data elements, can identify the consumer; or any information related to the health care of a consumer, except age or gender, created by or derived from a health care provider or a consumer. The WISP requirement takes effect on July 1, 2019.
The Act also requires the licensee to designate an entity responsible for the information security program, identify potential threats against any nonpublic information, and assess the sufficiency of safeguards in place to manage these threats. The licensee must then implement additional safeguards, as appropriate, to manage identified threats, and must determine the appropriateness of a bevy of specific controls such as access controls, encryption, and multifactor authentication, as part of that process.
Annually, each insurer domiciled in South Carolina must certify that it is in compliance with the WISP requirements.
As part of the WISP, a licensee must also establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event (defined as “an event resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system”).
If the licensee learns that a cybersecurity event has occurred, or may have occurred – whether impacting its systems or those maintained by a third-party service provider – the licensee, an outside vendor, or the third-party itself, must conduct a prompt investigation of the event. The licensee must maintain records concerning all cybersecurity events for at least five years from the date of the event.
The licensee must notify the Director of the Department of Insurance or his designee within 72 hours after determining that a cybersecurity event has occurred, if:
- South Carolina is the licensee’s state of domicile (in the case of an insurer), or the licensee’s home state in the case of an insurance producer, or
- the licensee reasonably believes that the unencrypted nonpublic information involved is of at least 250 consumers residing in South Carolina and the cybersecurity event (a) requires that notice be provided to any governmental body, self-regulatory agency, or any other supervisory body pursuant to state or federal law, or (b) has a reasonable likelihood of materially harming consumers residing in South Carolina or a material part of the normal operations of the licensee.
Third-Party Service Providers
When selecting third-party service providers, licensees must exercise due diligence, and require third-party service providers to implement appropriate administrative, technical, and physical measures to protect the information systems and nonpublic information that are accessible or held by them. The requirements applicable to third-party service providers are subject to the delayed implementation provision and will become effective July 1, 2020. Note: Michigan enacted HB 6491 – also based on the NAIC Insurance Data Security Model Law – on December 28, 2018.