On January 1st, South Carolina became the first state to adopt the model insurance data security law requiring certain insurance licensees to investigate and report cybersecurity events in the state of South Carolina. The law also requires licensees to develop, implement and maintain written information security programs that are tailored to the size, complexity and risk level of the particular licensee. The information security program must contain administrative, technical and physical safeguards to protect nonpublic information and the licensee’s information system. Licensees will also be required to impose information security obligations on certain third-party service providers.
The South Carolina Insurance Data Security Act, which became law in mid-2018, applies to South Carolina insurance licensees and registrants and to persons required to be licensed, registered or authorized to conduct insurance business in South Carolina. This does not apply to purchasing groups or risk retention groups chartered and licensed in another state and any licensee that acts as an assuming insurer that is domiciled in a state other than South Carolina. The act exempts certain licensees, including those with fewer than 10 employees (including independent contractors) and those subject to the Health Insurance Portability and Accountability Act (HIPAA), provided that the licensee has established and maintains a HIPAA-compliant information security program and submits a written statement certifying compliance to the director of the South Carolina Department of Insurance.
Notably, the act relates to cybersecurity events involving “nonpublic information.” In addition to consumers’ personally identifiable information and health information, the act covers business-related information of a licensee, the compromise of which could cause material adverse impact to the business, operations or security of the licensee.
A licensee must conduct a prompt investigation if it learns that a cybersecurity event has occurred or may have occurred. The investigation must allow the licensee to: (1) determine whether a cybersecurity event occurred; (2) assess the nature and scope of the event; (3) identify nonpublic information that may have been involved; and (4) take reasonable measures to restore the security of the information systems to prevent further compromise. The licensee’s investigation requirements extend to cybersecurity events that may have occurred in a system maintained for the licensee by a third-party service provider.
Within 72 hours of determining that a cybersecurity event has occurred, a licensee must notify the director if either:
- the licensee is an insurer domiciled in South Carolina or a producer whose home state is South Carolina; or
- the licensee reasonably believes that the nonpublic information related to at least 250 consumers residing in South Carolina, and
- either the cybersecurity event requires the licensee to notify any governmental, regulatory or supervisory body or
- the cybersecurity event has a reasonable likelihood of materially harming a South Carolina consumer or material part of the normal operations of the licensee.
The act requires the licensee to report as much information about the event as soon as possible, and sets forth a list of 13 required data points.
Although the cybersecurity incident reporting requirements are effective immediately, licensees have until July 1, 2019, to comply with the internal information security program elements of the act and until July 1, 2020, to comply with the third-party service provider provisions.
Covered entities should have already consulted (or be in the process of consulting) their company’s data security experts, compliance teams, and legal advisers to put in place an information security program and policy that complies with South Carolina’s new law. It is important that companies have a plan and be in position to effectively utilize the plan to ensure compliance with this new requirement.