South Carolina to Hold Info Session on New Insurance Data Security Law

By | September 7, 2018

The South Carolina Department of Insurance will hold an information session Monday, Sept. 10, on the South Carolina Insurance Data Security Act for state insurance licensees.

According to a media release, it will address the legal, regulatory and compliance issues licensees must consider in establishing their information security programs in order to comply with the law.

South Carolina’s new cybersecurity law was passed during the 2018 state legislative session and signed by Gov. Henry McMaster on May 3. It requires any insurance entity operating in the state to establish and implement a cybersecurity program protecting their business and their customers from a data breach.

According to Katie Geer, SCDOI Public Information coordinator, the session is being held to help those impacted by the new law prepare for it before it goes into effect next year.

“We have been working with those who call and have questions regarding the new law, and there was a lot of requests for a public meeting that would explain what it means and how to be compliant,” said Geer. “Our office not only regulates, but also supports those doing insurance business in our state and we want them to succeed. This is part of our efforts to support.”

South Carolina is the first state to enact the National Association of Insurance Commissioners (NAIC) “Model Law,” drafted by the Cybersecurity Working Group. The group is chaired by South Carolina Insurance Director Ray Farmer, who also worked with South Carolina lawmakers in getting the Act passed.

Among its many requirements, the South Carolina Insurance Data Security Act creates rules for South Carolina licensees, defined as insurers, agents and other licensed entities, regarding data security, investigation and notification of a breach. The law requires licensees to maintain an information security program based on ongoing risk assessment, oversee third-party service providers, investigate data breaches and notify regulators of a cybersecurity event.

Other provisions of the new law include:

  • Requires the insurance industry to protect consumer information by safeguarding individual insurance policyholder’s personal information.
  • Requires insurance companies establish data security standards to mitigate the potential damage of a data breach.
  • Requires insurance companies to develop, implement and maintain a secure information security program, investigate any cybersecurity events and notify the SCDOI of such events immediately.
  • The new law also requires licensees report a cybersecurity event to the department with 72 hours of the event occurring.

The session will be held at from 10 a.m. EST to 12 noon in the South Carolina Bar Conference Center, located at 1501 Park Street in Columbia, S.C.

Geer said the session will not be broadcast live but a recording will be available and posted on the SCDOI website within a few days.

The effective date of the law is Jan. 1, 2019. Insurers are required to develop, implement and maintain a comprehensive written information security program and report it to SCDOI by July 1, 2019. Licensees must require their third-party service providers to implement security measures to protect and secure any information systems and personal information by July 1, 2020.

Read More:

Topics Legislation Cyber South Carolina Data Driven

About Amy O'Connor

O'Connor is the Southeast editor for Insurance Journal and associate editor of More from Amy O'Connor

Was this article valuable?

Here are more articles you may enjoy.