This article was prepared by IIABSC staff members and is intended to be a guide to help producers and agencies prepare for the new Insurance Data Security Act.
It is NOT legal advice. Producers and agencies should be familiar with all parts of the new law and should seek professional guidance if in doubt about their compliance.
The SC Insurance Data Security Act becomes effective Jan. 1, 2019 and will affect every South Carolina licensed producer and agency, resident and non-resident. IIABSC has broken out the primary requirements that will affect producers and agencies (there are unique and additional requirements for insurance companies) in an effort help them comply with the new law. Here are our top five things that producers and agencies should know about the new law.
The law applies to ALL SC Department of Insurance licensees producers, agencies, brokers, insurance companies and excludes a very limited and narrow group. If you do not have electronic information, do NOT have any Nonpublic Personal Information (NPI) or are a risk retention group then you do not have to comply with the new law.
ALL producers/agencies must report ALL data breaches to the SC Department of Insurance. There are no exemptions from this part of the law. Beginning Jan. 1, 2019, any loss of electronic data that contains Nonpublic Personal Information must be reported online to the SC Department of Insurance within 72 hours of discovery.
South Carolina resident agencies/producers must report all breaches regardless of the amount of records.
Non-resident agencies/producers must report a breach if:
- Nonpublic information of 250 or more South Carolina consumers is involved and either
- Notice is required to be provided to a governmental or self-regulatory agency or any other supervisory body pursuant to state or federal law or
- The cybersecurity event has a reasonable likelihood of materially harming:
- Any consumer residing in South Carolina
- Any material part of the normal operations of the licensee
No. 3: There are limited exemptions. Some exemptions from part of the law apply to:
- Licensee with fewer than 10 employees including independent contractors.
- Licensee that comes under another licensee security plan (an individual producer would normally be covered under an agency security plan).
- Licensees subject to HIPAA that submit written certification of compliance with HIPAA.
- Licensees that certify compliance with the New York Cyber Security Regulation.
The exemption only applies to having a written security plan all licensees must comply with the reporting requirements. Also, qualifying for an exemption does not exempt a licensee from protecting NPI under other state and federal laws such as the Gramm Leach Bliley Act, Fair Credit Report Act/Fair and Accurate Credit Transactions Act, the Federal Trade Commission Act and HIPAA. For more details on the requirements of these laws, see the Agents Council for Technology's Cyberguide 3.0.
No. 4: If you do not qualify for exemptions, there are additional requirements for producers/agencies. These requirements include:
- Conducting a risk assessment of your agency. Risk assessment will be different for each licensee depending on the size and complexity of your operation. The assessment should include identification of reasonably foreseen internal and external threats to NPI, evaluation of policies, procedures and information systems to protect against threats and continued monitoring to assess effectiveness of safeguards.
- Implementing an information security program (deadline is July 1, 2019). Your agency should compile a written security plan that addresses any known or suspected threats as well how your office will respond to a cybersecurity breach. IIABSC members can start with the downloadable cyber security plan template available through the Agents Council on Technology (this tool available to IIABSC members only).
- Providing cybersecurity awareness training for employees and third parties. Employees should be trained to protect NPI data, they should be taught to alert management for suspicious computer activity, they should be taught to recognize email scams, they should learn to safeguard computers by locking them and keeping them secure, changing and protecting passwords according to the agency policy, and being familiar with the laws that protect the information they us to perform their jobs.
- Exercising due diligence with the selection of third-party vendors, requiring them to implement the necessary security measures (deadline is July 1, 2020). There will be more guidance on this requirement from the SC Department of Insurance. Ultimately, SC licensees will be held accountable for the actions of third-party vendors with which the agency works with and has access to agency NPI. SEE BELOW FOR MORE ABOUT THIRD-PARTY RECOMMENDATIONS.
No. 5: One size does not fit all. Please understand that there is no single answer to compliance with this new law. Each agency/producer may use different solutions to comply. Whatever tract your operation takes, document your compliance efforts. While you do not have to report to the DOI how you are complying with the law, in the event of a data breach in your agency, the DOI investigation will include an analysis of your preparation and prevention. Other tips for effective compliance include:
- Be methodical in your approach to compliance.
- Assign responsibilities for the ISP and hold people accountable.
- Devote the necessary time and resources to your risk assessment.
- Develop a plan/framework for your information security program with checklist(s) for each significant part of the Act.
- Develop security policies, standards and guidelines based on your business risk assessment.
- Train your employees.
More about third parties:
SC licensees will be held accountable for the actions of their third-party vendors, so it is important to ensure they implement appropriate administrative, technical and physical measures to protect and secure the system and nonpublic information (NPI) accessible to them. Third-party service providers have been responsible for most of the cyber event notifications the South Carolina Department of Insurance has received to date. IIABSC has put together information to help our members comply, as well as a short TPSP questionnaire that can be sent to the agency’s TPSP’s to provide information on their cyber-security measures.
VIEW IA GUIDE TO THIRD-PARTY SERVICE PROVIDERS
Other sources for Help
- There is also complete information on the law and access to the DOI bulletins at the SC Department of Insurance cyber resource page. We recommend watching the DOI webinar overview of the law and reviewing the PowerPoint presentation prepared by DOI staff.
- IIABSC members can review and download additional cyber tools and resources from the Agents Council on Technology (ACT) including a downloadable cyber security plan template.
- Your IT support team will also be a valuable resource for helping comply from helping assess your risk to implementing technology safeguards and protocols.
- All agencies should consider a cyberliability insurance policy. Cyber insurance policies with breach response coverage are an affordable and valuable protection for your agency should you have to respond to a data breach in your agency. IIABSC offers cyberliability insurance, complete with an online risk assessment of your agency, from Coalition. This program is also available to offer your clients.
Protection of your clients personal information is one of the highest priorities you and your staff should have. Be proactive and implement the necessary steps to not only comply with SC law, but to safeguard your clients information. For more information regarding the SC Insurance Data Security Act, contact Becky McCormack or Frank Sheppard at 803-731-9460.
View Bulletins from SCDOI
Bulletin 2018-02, details to whom the Act applies and when the legislation is effective as well as the full text of the bill.
Bulletin 2018-09, provides guidance on what constitutes a cybersecurity event and addresses the process for reporting an event.
Bulletin 2018-12, provides information on exemptions from information security program requirements.
Bulletin 2020-04, an overview of issues to consider when reviewing the use of third-party service providers in compiance with provisions of the SC Insurance Data Security Act.
Key Implementation Dates
January 1, 2019: South Carolina Insurance Data Security Act becomes effective. This requires, among other things, that a licensee notify the Director no later than 72 hours after determining that a cybersecurity event has occurred when certain criteria are met.
July 1, 2019: Licensees must have implemented Section 38-99-20 by this date. This section requires that licensees establish a comprehensive, written information security program by July 1, 2019.
February 15, 2020: Beginning on this date, each insurer domiciled in South Carolina must annually submit to the Director a written statement certifying that the insurer is in compliance with the requirements set forth in Section 38-99-20.
July 1, 2020: Licensees must have implemented Section 38-99-20(F) by this date. This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.