South Carolina Governor Henry McMaster signed an insurer data security bill into law on May 14, 2018, making the state the first in the nation to enact a version of the NAIC Insurance Data Security Model Law. The law will become effective on January 1, 2019 and apply to insurance companies, insurance agencies, and other entities licensed by the South Carolina Department of Insurance.
According to the South Carolina Insurance Data Security Act, all insurers, agents, and other licensed entities must create a comprehensive, written data security program by the effective date. The specifics of the program should relate to the size and complexity of the licensee’s business, the precise nature of its activities, and the sensitivity of the private information it stores and uses.
The law requires licensees to conduct an individualized risk assessment prior to formulating its data security program, which should mitigate identified risks. Based on their risk assessments, insurers and agents must implement measures such as access controls, inventories (of data, devices, systems, etc.), restricted physical access, secure app development practices, and multi-factor authentication, among others.
In addition, the law gives insurer boards of directors formal accountability for data-security. It requires company executives to report at least annually to their boards on the status of their data security efforts and on any “material matters” that have arisen.
Starting July 1, 2020, insurers and agents must extend the program to third-party service providers. This involves exercising appropriate due diligence when selecting providers, as well as requiring them to implement measures to keep the licensee’s non-public information safe.
Incident-response plans are also a part of the new law. By January 1, 2019, any licensee that suffers a cybersecurity event must execute a well-designed plan to help their firm react to and recover from a data breach. Moreover, they must report the event to the South Carolina Department of Insurance within 72 hours, assuming the licensee is domiciled in the state and believes nonpublic information of at least 250 South Carolina residents is involved. The notification must include the specifics of the event, how it was discovered, what types of data were breached, remediation steps, and a copy of the licensee’s privacy policy, among other data points. Records of the event must then be saved for five years.
Since the scope of the new law is quite broad, South Carolina lawmakers decided to exempt insurance licensees that have fewer than 10 employees (including independent contractors).
Bottom-line impact of the new law? Edward J. McAndrew, an attorney with Ballard Spahr LLP, wrote in the National Law Review that it “is a significant development. Other state legislatures are currently considering similar legislation, and the requirements of this Act (and the Model Law) will likely be cited in cybersecurity matters beyond the insurance industry.”