South Carolina passes first cybersecurity law for insurance
The new law is the “model law” that was drafted by the National Association of Insurance Commissioner; will other states adopt it?
As of January 1 of next year, insurance entities operating in the state of South Carolina will be obliged to establish and implement a cybersecurity program protecting their business and their customers from a data breach.
Insurance Journal reports that the state has become the first to enact such a measure, which means that there’s no guarantee of uniformity if other states begin to pass laws on cybersecurity—although the new law is the “model law” that was drafted by the National Association of Insurance Commissioner’s Cybersecurity Working Group. Raymond G. Farmer, South Carolina’s insurance director, chaired the working group.
Related: 4 things to look for when hiring a cybersecurity expert
The South Carolina Department of Insurance Data Security Act follows the NAIC Insurance Data Security Model Law approved by the working group in 2017. A statement from the SCDOI quoted in the report says in part that Farmer “played an integral part in making sure South Carolinian’s cyber insurance information is now further protected with this law.”
Among the requirements for South Carolina licensees, defined as insurers, agents and other licensed entities, are maintenance of “an information security program based on ongoing risk assessment,” as well as the obligation to oversee third-party service providers, investigate data breaches and notify regulators of a cybersecurity event.
Other provisions require the insurance industry to protect consumer information by safeguarding individual insurance policyholders’ personal information; to establish data security standards to mitigate the potential damage of a data breach; and to create, use and maintain a secure information security program.
In addition, insurers must investigate any cybersecurity events and to notify the SCDOI within 72 hours of occurrence.
There are limitations; for reporting to be required, the event must affect at least 250 people and have a reasonable impact on South Carolina consumers. And just because an event occurs in a third party’s system, that doesn’t let insurers off the hook; the law specifies what must be done in such cases, as well as requiring that insurers domiciled in the state must submit an annual statement to SCDOI on their data breach response plan.
The bill applies to companies in all facets of the insurance industry, including agencies, brokers and carriers, but independent contractors and firms with 10 employees or less are covered by an exemption.