On May 3, 2018, Gov. McMaster signed into law the SC Insurance Data Security Act to ensure that everyone within the South Carolina insurance industry has strong and aggressive cybersecurity programs to protect the personal data of all consumers. The new law will become effective on Jan. 1, 2019 with various steps for compliance through February 2020.
In short, the Act requires all licensees to undergo a data risk assessment and then develop an appropriate, comprehensive written data security information plan for the agency that also addresses third-party service providers with nonpublic data access. Licensees must also notify the Department within 72 hours in determining that a cybersecurity event has occurred. The list of key implementation dates of the Act are below.
Thus far the SCDOI has released
Bulletin 2018-02, which details to whom the Act applies and when the legislation is effective as well as the full text of the bill, Bulletin 2018-09, which provides guidance on what constitutes a cybersecurity event and addresses the process for reporting an event, and
Bulletin 2018-12, which provides information on exemptions from information security program requirements (licensees must still comply with other Act provisions).
According to Bulletin 2018-02, agencies with 9 or fewer employees and an information security program and agencies with certified HIPAA compliance are exempt from the requirements of the new law.
According to Bulletin 2018-09, a cybersecurity event is defined as an event resulting in unauthorized access to, disruption or misuse of and Information System or information stored on the system.
You must report a cybersecurity event to the Department of Insurance if:
- Your business resides in South Carolina
- Your business doesn’t reside in South Carolina but 250 or more SC consumers were impacted such that you had to notify another state or federal government entity or there is the possibility of material harm to a South Carolina consumer or your business.
You don’t have to report when:
- someone gets encrypted nonpublic data if they did not also get the encryption key to “unlock” the data.
- you can prove it was returned or destroyed before it could be used or released.
- You lose information in paper form only.
- temporary interruptions in service are due to power outages or other benign causes unless the disruption results in the unauthorized access, misuse or disruption of the liceensee’s information system or that of a third-party service provider.
According to Bulletin 2018-12, there are limited exemptions for some, but they apply only to having a written security plan. All licensees must comply with the reporting requirements, and all licensees must protect nonpublic information under other state and federal laws.
Exemptions from part of the law apply to:
- Licensee with fewer than 10 employees including independent contractors.
- Licensee that comes under another licensee security plan (an individual producer would normally be covered under an agency security plan).
- Licensees subject to HIPAA that submit written certification of compliance with HIPAA.
- Licensees that certify compliance with the New York Cyber Security Regulation.
A final bulletin with detailed information on third-party service provider program requirements is expected soon.
South Carolina is the first state in the nation to pass this important and timely legislation based on the NAIC Insurance Data Security Model Law. IIABSC is working in coordination with the Department of Insurance and our national association in providing tools needed to be in compliance.
Key Implementation Dates
January 1, 2019: South Carolina Insurance Data Security Act becomes effective. This requires, among other things, that a licensee notify the Director no later than 72 hours after determining that a cybersecurity event has occurred when certain criteria are met.
July 1, 2019: Licensees must have implemented Section 38-99-20 by this date. This section requires that licensees establish a comprehensive, written information security program by July 1, 2019.
February 15, 2020: Beginning on this date, each insurer domiciled in South Carolina must annually submit to the Director a written statement certifying that the insurer is in compliance with the requirements set forth in Section 38-99-20.
July 1, 2020: Licensees must have implemented Section 38-99-20(F) by this date. This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.