As of the first of this year the South Carolina Insurance Data Security Act has gone into effect. These regulations are based primarily on the National Association of Insurance Commissioners’ Data Security Model Law and are the first of its kind in the U.S. However, given increasing public scrutiny on how business handle sensitive information, it is likely such regulations will be taken up by other states in the years to come. New York, for instance, already has in place similar regulations via the Department of Financial Services. Not even to mention the California Consumer Privacy Act of 2018. Insurance Carriers, brokers, agents and other licensed entities should therefore take some time to familiarize themselves with these new regulations.
The South Carolina Insurance Data Security Act contains two major aspects:
- It requires any “person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to [ ] insurance laws” to notify the state within 72 hours of any cyber security event. The regulation defines such an event as any “resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system.”
- Licensee’s are required to maintain a comprehensive information security program that details how the company will protect the security and confidentiality of private information against the outside threats. Companies must conduct a full risk assessment of a cyber security event in order to then design and implement a program to mitigate identified risk.
- Licensees will also be required to implement a third party provider program and to require their providers implement appropriate administrative, technical and physical measures to protect non-public information and relevant systems.
It must be noted that these regulations not only pertains to insurance companies, but will also impact insurance brokers, agents other licenses and their third party vendors. The first deadline is a written security program in place by July 1, 2019. The implementation of a third party provider program needs to be in place by July 1 2020.
Moreover, the regulations themselves could easily be applied to fields outside of insurance. The concept of an information security program, for instance, is something that any business handling private information should begin considering in the event that similar regulations are applied across other states and in different sectors.