South Carolina has become the first state to enact a version of the Insurance Data Security Model Law, which was drafted by the National Association of Insurance Commissioners (NAIC) in 2017. Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law on May 14, 2018. The Act will become effective on January 1, 2019.
South Carolina Insurance Director Raymond G. Farmer chaired the NAIC Cybersecurity Working Group that drafted the model law. The South Carolina Act appears to follow the Model Law closely, and bears similarities to cybersecurity laws and regulations enacted in other states and at the federal level – including the New York Department of Financial Services cybersecurity regulations, the new Alabama data breach law, and HIPAA/HITECH data security/breach notification requirements.
Implementation of an Information Security Program
The South Carolina Act will require all insurers, agents and other licensed entities doing business in the state to establish a comprehensive, written information security program by July 1, 2019. The program must be “[c]ommensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including the use of third-party service providers, and the sensitivity of the nonpublic information” that the licensee uses, possesses, or controls. The cybersecurity program is to be based on an individualized risk assessment, as a result of which the licensee must “design its information security program to mitigate identified risks.” Each licensee also must “determine the appropriateness of and implement” measures including access controls, data, device, systems and personnel inventories and mapping, physical access restrictions, encryption of nonpublic information in transit and at rest on mobile devices and removable media, secure app development practices, multi-factor authentication, regular system and testing monitoring, cybersecurity event audit trails, and secure disposal of nonpublic information.
The Act also establishes “minimum” requirements for boards of directors, which must oversee the development and implementation of the cybersecurity program. The board also must require executive management to report to it in writing at least annually on: (1) the overall status of the cybersecurity program and compliance with the Act; and (2) “material matters,” including risk assessments, risk management controls and decisions, third party service provider arrangements, testing results, cybersecurity events and responses thereto, and recommended changes to the program.
By July 1, 2020, each licensee must implement a third-party service provider program. Licensees must exercise due diligence in selecting providers, and must require providers to implement appropriate administrative, technical and physical measures to protect non-public information and relevant systems. Licensees also must monitor and adjust this program as necessary.
By January 1, 2019, each licensee “must establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises . . . nonpublic information in its possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s business or operations.” The plan must address: (1) the internal response process; (2) plan goals; (3) the definition of clear roles, responsibilities and levels of decision-making authority; (4) external and internal communications and information sharing; (5) remediation requirements; (6) documentation and reporting of cybersecurity events and response activities; and (7) plan revisions.
Similar to the NY DFS Cybersecurity Regulations, the Act requires each insurer to provide an annual certification of its compliance with the section of the Act prescribing the information security program requirements.
Investigation, Response & Disclosure of “Cybersecurity Events”
The Act also includes stringent requirements for investigating and disclosing certain “cybersecurity event[s]” within 72 hours of their discovery. A “cybersecurity event” is broadly defined as “an event resulting in unauthorized access to or disruption or misuse of an information system or information stored on an information system.” Excepted from this definition are events involving unauthorized acquisition of encrypted nonpublic information or events where impacted nonpublic information “has been returned or destroyed.”
“Nonpublic information” is similarly defined very broadly. It includes the types of personal information protected under many data breach notification laws. Similar to the NY DFS Cybersecurity Regulations, it also includes “business-related information of a licensee the tampering with which, or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee.”
Upon discovery that a cybersecurity event “has occurred or may have occurred,” the licensee must, at a minimum, conduct a “prompt” investigation that includes determining whether a cybersecurity event occurred; assessing the event’s nature and scope; identifying any nonpublic information that may have been involved; and (4) restoring security of the impacted systems. Records relating to the cybersecurity event must be retained for 5 years and must be provided to the director upon demand. This investigation requirement applies to third-party service providers as well.
The Act contains tight disclosure deadlines for certain types of cybersecurity events. A licensee must notify the Director of the Department of Insurance “no later than 72 hours after determining that a cybersecurity event has occurred” if: (1) the licensee is domiciled in South Carolina; or (2) the licensee reasonably believes that the event involves nonpublic information for at least 250 South Carolina residents and the licensee must notify other governmental or supervisory bodies or the event has a reasonable likelihood of materially harming a South Carolina consumer or a material part of the licensee’s normal operations. The Act contains a laundry list of items that must be included in the notification, including the dates and details of the event; how it was discovered; whether and what types of nonpublic information was “exposed, lost, stolen or breached;” whether law enforcement has been notified; remediation steps; a copy of the licensee’s privacy policy; and a plan for investigation and consumer notification. A licensee also must comply with the separate notification obligations under the South Carolina Data Breach Notification Act.
Director Farmer described the effect of this comprehensive new cybersecurity law as “tak[ing] [cybersecurity] out of an IT-related issue to a board of directors issue and require[ing] someone to be reporting to the CEO and to the board of directors on data security, cybersecurity issues.” He added: “It requires a company, in an event they do have a breach, to notify the regulator, and in this case, the Department of Insurance, within 72 hours,” he said. “And at that point we can form a partnership with the company to see what we need to do to protect consumers, the citizens of this state.”
South Carolina’s new law is a significant development. Other state legislatures are currently considering similar legislation, and the requirements of this Act (and the Model Law) will likely be cited in cybersecurity matters beyond the insurance industry.