South Carolina Governor Henry McMaster signed an insurer data security bill into law on May 14, 2018, making the state the first in the nation to enact a version of the NAIC Insurance Data Security Model Law. The law will become effective on January 1, 2019 and apply to insurance companies, insurance agencies, and other entities licensed by the South Carolina Department of Insurance.
According to the South Carolina Insurance Data Security Act, all insurers, agents, and other licensed entities must create a comprehensive, written data security program by the effective date. The specifics of the program should relate to the size and complexity of the licensee’s business, the precise nature of its activities, and the sensitivity of the private information it stores and uses.
The law requires licensees to conduct an individualized risk assessment prior to formulating its data security program, which should mitigate identified risks. Based on their risk assessments, insurers and agents must implement measures such as access controls, inventories (of data, devices, systems, etc.), restricted physical access, secure app development practices, and multi-factor authentication, among others.
In addition, the law gives insurer boards of directors formal accountability for data-security. It requires company executives to report at least annually to their boards on the status of their data security efforts and on any “material matters” that have arisen.
Starting July 1, 2020, insurers and agents must extend the program to third-party service providers. This involves exercising appropriate due diligence when selecting providers, as well as requiring them to implement measures to keep the licensee’s non-public information safe.
Since the scope of the new law is quite broad, South Carolina lawmakers decided to exempt insurance licensees that have fewer than 10 employees (including independent contractors).
Bottom-line impact of the new law? Edward J. McAndrew, an attorney with Ballard Spahr LLP, wrote in the National Law Review that it “is a significant development. Other state legislatures are currently considering similar legislation, and the requirements of this Act (and the Model Law) will likely be cited in cybersecurity matters beyond the insurance industry.”