On May 9, 2018, South Carolina Governor Henry McMaster signed into law the South Carolina Insurance Data Security Act (“IDSA”). South Carolina thereby became the first state in the nation to pass legislation modeled after the “Insurance Data Security Model Law” adopted by the National Association of Insurance Commissioners (“NAIC”). The purpose of the IDSA is to ensure that all Licensees of the South Carolina Department of Insurance (“SC DOI”) have a strong and aggressive cyber security program to protect the personal data of consumers in South Carolina and elsewhere.
To Whom Does the IDSA Apply?
The IDSA broadly applies to all “licensees” of the SC DOI, including “any [individual or corporate] person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State.” The ISDA applies to both resident and non-resident insurers, agencies, producers, and brokers. It expressly excludes only (1) out of state purchasing groups or risk retention groups and (2) out of state licensees who are acting only as an assuming reinsurer.
What Does the ISDA Require?
The ISDA became effective January 1, 2019. It includes several staggered effective dates for implementation of its requirements.
• Beginning Immediately: Licensees must comply with the reporting requirements of a Cybersecurity Event.
Under the Act, a “Cybersecurity Event” is defined as “an event resulting in an unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.” “Cybersecurity Event” does not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released or used without authorization. “Cybersecurity Event” does not include an event with regard to which the Licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed. Loss of information only in paper format does not constitute a “Cybersecurity Event.”
Licensees must notify the SC DOI within 72 hours after determining that a Cybersecurity Event has occurred if (1) South Carolina is the Licensee’s domicile; or (2) the Licensee is not domiciled in South Carolina, but it is reasonably believed to have involved the release of the nonpublic information of 250 or more South Carolina consumers and the Cybersecurity Event impacts the Licensee such that notice must be provided to another state or federal government entity, or there is a reasonable likelihood of material harm to a South Carolina consumer or material parts of the Licensee’s operations.
• Beginning July 1, 2019: Licensees must have an IS Program.
Licensees have until July 1, 2019 to develop, implement, and maintain a comprehensive written information security program (“IS Program”) that provides protection for nonpublic information and the Licensee’s information systems.