The National Association of Insurance Commissioners (NAIC) drafted the Insurance Data Security Model Law in 2017. On May 9, 2018, South Carolina became the first state to enact a version of the law. The provisions of the South Carolina Insurance Data Security Act will become effective for businesses on January 1, 2019. Therefore, if you are not aware of how the new law affects your business, you may want to consult a South Carolina business compliance lawyer as soon as possible to avoid any problems.
What is the South Carolina Insurance Data Security Act (“The Act”)?
The requirements of The Act are designed to protect a company’s nonpublic information, including information about a consumer such as a driver’s license number, Social Security Number, and healthcare information. In addition, the requirements are designed to protect the information system for a business.
The Act applies to licensees of the South Carolina Department of Insurance unless the licensee is exempted from the law. A licensee is an individual who is authorized, licensed, or registered or is required to be authorized, licensed, or registered under the insurance laws of South Carolina.
Exemptions from The Act include independent contractors or licensees with less than 10 employees and agents. In addition, a licensee may claim exempt status if another licensee’s cybersecurity program protects that licensee. A licensee that complies with HIPAA requirements meets the requirements of The Act upon producing written certification of HIPAA compliance.
Requirements and Implementation of a Data Security Plan
The Act requires licensees to develop, implement, and maintain a comprehensive written information security program (WISP) on or by July 1, 2019. The program must meet all requirements of The Act. The program must be based on a risk assessment so that the WISP is developed to mitigate identifiable risks for the licensee.
Other key requirements of The Act include:
- Requirements for executive management involvement in the cybersecurity program. The Act specifies certain duties of executive management regarding the information security program. It also requires a written annual report to the Board of Directors providing information related to the WISP.
- A third-party service provider program must be developed and implemented by July 1, 2020. Licensees must conduct due diligence when selecting a third-party service provider to ensure the protection of the licensee’s nonpublic information and information systems.
- Develop and implement a written incident response plan by January 1, 2019, to respond to and recover from a cybersecurity event.
- Provide an annual certification of compliance with all requirements under The Act to the South Carolina Department of Insurance. All records supporting the certification must be maintained and produced for inspection by the Department of Insurance.
- Requires licensees to investigate and disclose certain cybersecurity events within 72 hours of the discovery of the event. The Act also provides detailed requirements for the investigation, disclosure, and response for a cybersecurity event.
Contact a South Carolina Business Compliance Attorney
The above information is not intended to be an exhaustive discussion of all requirements under The Act. To ensure your company complies with all requirements of The Act, contact a South Carolina business compliance attorney.
The steps to comply with the requirements of The Act can be complicated. It is best to work with an attorney to develop your cybersecurity program to avoid penalties and fines. Schedule a consultation with a member of our team at Willcox, Buyck & Williams, P.A. today.