South Carolina Insurance Cybersecurity Law Deadlines Loom

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Kyle LaHucik

Insurers licensed in South Carolina have just under a year to comply with a state law aimed at making the industry follows cybersecurity regulations.

The South Carolina Insurance Data Security Act requires insurers to “develop, implement, and maintain a comprehensive information security program” to protect customer data.

The written security plan requirement for insurers kicks in July 1, 2019. Insurance companies should put in place “administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system,” according to the law.

The measure is the first of its kind in the nation, according to Maria Sasinoski, an associate at the Pittsburgh office of McGuireWoods LLP. It reflects efforts by the National Association of Insurance Commissioners (NAIC) to have states regulate industries under its Insurance Data Security Model, Sasinoski told Bloomberg Law.

In accepting the NAIC model, insurers are trying to “ward off” state-by-state variations of state insurance cybersecurity laws, because companies want “clear guidelines as to what they need to do,” Sasinoski said.

“We know that other states have introduced similar legislation, and cybersecurity has become an evolving threat for all industries,” Sasinoski said. She cited a version of the insurance cybersecurity bill that has been introduced in the Rhode Island House.

An insurance firm’s size and range of business activities drives the extent of the information security program—as does the amount of non-public information it uses and holds.

The law also requires holders of insurance licenses to submit statements to the South Carolina Department of Insurance annually, and report data breaches, starting Jan. 1, 2019. Breaches must be reported to the state insurance department’s director within 72 hours if they affect 250 or more South Carolina residents, the law says.

Insurers also must report as much information about the incident as possible, including date of the event, how it was discovered, and a description of information acquired without authorization, among others.

Licensees with fewer than 10 employees are exempt from the law. There’s also an exemption for licensees that are compliant with cybersecurity provisions of the Health Insurance Portability and Accountability Act.

South Carolina Gov. Henry McMaster (R) signed the measure May 3.

Request Bloomberg Law: Privacy & Data Security