On May 3, 2018, Gov. McMaster signed into law the SC Insurance Data Security Act to ensure that everyone within the South Carolina insurance industry has strong and aggressive cybersecurity programs to protect the personal data of all consumers. The new law will become effective on Jan. 1, 2019 with various steps for compliance through February 2020.
In short, the Act requires all licensees to undergo a data risk assessment and then develop an appropriate, comprehensive written data security information plan for the agency that also addresses third-party service providers with nonpublic data access. Licensees must also notify the Department within 72 hours in determining that a cybersecurity event has occurred. The list of key implementation dates of the Act are below.
Thus far the SCDOI has released Bulletin 2018-02
, which details to whom the Act applies and when the legislation is effective as well as the full text of the bill, and Bulletin 2018-09
, which provides guidance on what constitutes a cybersecurity event and addresses the process for reporting an event, along with screenshots of the official "Report a Cybersecurity Event" online form.
South Carolina is the first state in the nation to pass this important and timely legislation based on the NAIC Insurance Data Security Model Law. IIABSC is working in coordination with the Department of Insurance and our national association in providing tools needed to be in compliance.
Key Implementation Dates
January 1, 2019: South Carolina Insurance Data Security Act becomes effective. This requires, among other things, that a licensee notify the Director no later than 72 hours after determining that a cybersecurity event has occurred when certain criteria are met.
July 1, 2019: Licensees must have implemented Section 38-99-20 by this date. This section requires that licensees establish a comprehensive, written information security program by July 1, 2019.
July 1, 2020: Licensees must have implemented Section 38-99-20(F) by this date. This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.
February 15, 2020: Beginning on this date, each insurer domiciled in South Carolina must annually submit to the Director a written statement certifying that the insurer is in compliance with the requirements set forth in Section 38-99-20.