South Carolina has become the first state to enact cybersecurity legislation for the insurance industry.
On May 3, Governor McMaster signed a bill requiring South Carolina insurers to “develop, implement, and maintain a comprehensive information security program” for their customers’ data. 2017 SC H.B. 4655 (NS). Based on the insurance industry model rules, the South Carolina Insurance Data Security Act has three primary aims: it requires “licensees” to prevent, detect and remediate insurance customer data breaches.
The new law applies to “licensees”, defined as those persons who are licensed or are required to be licensed, registered, or authorized to operate under the state’s insurance laws; the definition excludes certain groups chartered or licensed in another state and out of state licensees acting as an assuming insurer. Licensees who are already subject to the Health Insurance Portability and Accountability Act (HIPAA) and provide a certification of compliance may also be exempt.
First and foremost, the law seeks to prevent cybersecurity breaches from occurring by requiring licensees to conduct a risk assessment and implement preventative processes, systems and procedures. Licensees who do not otherwise meet one of the various exceptions must perform an ongoing cybersecurity risk assessment, establish requirements for their cybersecurity program as a result of such assessments, monitor and adjust the program as needed, and establish an incident response procedure based on the licensee’s board’s analysis of established minimum requirements. The prevention plan and incident response procedures may be tailored to the level of threat and sensitivity of the data, and could include: employee training, access and authentication controls on information systems, physical access controls, encryption of data, system modifications, environmental disruption planning, and adding cybersecurity risk to the licensee’s enterprise risk management process.
Second, the law imposes a duty on the licensee’s board of directors to oversee these efforts. At a minimum, the board must require the management team to develop, implement and maintain the cybersecurity plan and prepare an annual report for the board. The licensee must designate at least one employee, or an outside vendor to act as a responsible party for the program, which includes an ongoing obligation to detect, prevent and respond to attacks. The incident detection and response plan must address specific provisions under the law, including the internal response process, goals for the plan, definition of roles and responsibilities, communications planning, remediation objectives, documentation and reporting requirements and an ongoing revision cycle to address new threats or incidents.
The third prong of the legislation requires licensees to remediate cybersecurity incidents. If a cybersecurity incident does occur, licensees, their outside vendors or third party service providers must investigate the event and make certain assessments and determinations. If the cybersecurity event meets certain threshold criteria, licensees must notify the director of the state department of insurance within 72 hours of the determination. The licensee must provide a report of the incident, as well as notification to its customers and possibly certain federal consumer reporting agencies, as is consistent with obligations imposed under South Carolina state law for other industries. Although there is no private right of action under the legislation, licensees are subject to various fines and other potential penalties for noncompliance.
Licensees have until January 1, 2019 to comply with the reporting requirements and other provisions, until July 1, 2019 to comply with the implementation and maintenance of the program, and until July 1, 2020 to implement third party oversight provisions and ongoing evaluation and monitoring of their cybersecurity programs.
Reception to the law has been mixed. While most industry groups agree with the purpose of the legislation, insurers are wary of creating a patchwork of laws that differ from state to state. And although South Carolina has implemented a framework substantially the same as the industry’s model rules, there can be no guarantee that other states will follow suit. Licensees or those otherwise impacted may follow the state’s implementation bulletins on the legislation here. As other states move to enhance cybersecurity and data protection laws for consumers, we expect to see additional developments in this area.