South Carolina Passes First Insurance Industry Cybersecurity Law

June 4, 2018 by

South Carolina has become the first state to pass a model cybersecurity bill requiring any insurance entity operating in the state to establish and implement a cybersecurity program protecting their business and their customers from a data breach.

And while the insurance industry wasn’t against the new law, there are concerns about what the impact to the industry could be if other states pass laws different from South Carolina’s – the “model law” from the National Association of Insurance Commissioners (NAIC).

Signed May 3 by Governor Henry McMaster, the South Carolina Department of Insurance Data Security Act was drafted by the NAIC’s Cybersecurity Working Group, chaired by South Carolina Insurance Director Raymond G. Farmer.

According to a statement from the SCDOI, Farmer “played an integral part in making sure South Carolinian’s cyber insurance information is now further protected with this law.”

The law creates rules for South Carolina licensees, defined as insurers, agents and other licensed entities, regarding data security, investigation and notification of a breach. The law requires licensees to maintain an information security program based on ongoing risk assessment, oversee third-party service providers, investigate data breaches and notify regulators of a cybersecurity event.

Other provisions of the new law include:

  • Requires the insurance industry to protect consumer information by safeguarding individual insurance policyholder’s personal information.
  • Requires insurance companies establish data security standards to mitigate the potential damage of a data breach.
  • Requires insurance companies to develop, implement and maintain a secure information security program, investigate any cybersecurity events and notify the SCDOI of such events immediately.

The new law also requires licensees to report a cybersecurity event to the department with 72 hours of the event occurring. However, the event must affect at least 250 people and have a reasonable impact on South Carolina consumers for reporting to be required.

The law also includes stipulations if a cybersecurity event occurs in a system maintained by a third-party provider of the licensee. Additionally, each insurer domiciled in the state – domestic insurers – must submit a statement annually to SCDOI attesting to their data breach response plan.

The bill applies to companies in all facets of the insurance industry – including agencies, brokers, carriers – but there is an exemption for firms with 10 employees or less and independent contractors.

The effective date of the law is Jan. 1, 2019. Insurers are required to develop, implement and maintain a comprehensive written information security program and report it to SCDOI by July 1, 2019. Licensees must require their third-party service providers to implement security measures to protect and secure any information systems and personal information by July 1, 2020.

“This sets South Carolina apart and shows we are dedicated to keeping insurance information safe,” Farmer said. “In this day where cybersecurity breaches are a real and ongoing threat it is best to take a proactive approach to protecting data before there is an issue, rather than trying to fix a breach once it has happened.”

Industry Reaction

The Property Casualty Insurers of America (PCI) said it supports the fundamental purpose of the law but is concerned about future cybersecurity regulations passed in other states that differ from the South Carolina/NAIC model, as that could become burdensome for the insurance industry and ineffective at protecting consumers.

“We need strong cybersecurity standards to protect consumer data in all 50 states. We must avoid a patchwork public policy approach that could leave consumers and industries vulnerable to attack,” said Nancy Egan, PCI regional manager. “PCI supports the model law, but we are urging South Carolina to take additional steps to avoid future conflicts in state law relating to insurance.”

Egan said the insurance industry pushed for an amendment to this bill during the legislative session to ensure the industry would not be subject to additional data security standards later, but that wasn’t included in the final version.

“The language we were looking for was this would be the exclusive set of data security standards insurers would have to follow so if [the legislature] come up with other rules in the future, these would be the ones [the industry] has to follow,” she said.

Egan said PCI will work to have an exemption for the insurance industry on any future bills targeting industries that gather personal information – or more specifically companies in the financial services industry – because the insurance industry is already required to follow this law.

“We don’t want to be swept into complying with two different sets of regulations,” Egan said.

The industry also anticipates there will be a cost burden associated with this law, particularly for smaller agencies, though its still unclear what that will be, says Frank Shepherd, president of the Independent Insurance Agents & Brokers of South Carolina (IIABSC).

The association was also in favor of the bill and worked with SCDOI as the NAIC model law was being developed, Shepperd said. And, given Director Farmer’s role in the development of the bill, the association expected South Carolina would be one of the first states to introduce the law.

He added many agencies are already taking steps to protect customer data, so it will just be a matter of doing so in a way that meets the criteria of the new law.

“We do recognize and understand that the insurance industry has an obligation to protect data, just like all other industries. Agencies are part of that responsibility and accept that,” he said.

Shepperd said IIABSC does expect most agencies will follow the lead of the insurance carriers they work with in the development and implementation of a cybersecurity plan, but for those agencies working with multiple companies it could be more challenging.

“As we get a little deeper into this, agencies are going to have a lot of challenges meeting separate qualifications from different companies, especially those who work with multiple carriers,” he said

IIABSC plans to work with its agency members in setting up a “generic” plan to start with that will comply with what the state’s requirements. Shepperd said ideally that plan will sync with whatever plans insurance companies implement.

He said association members are looking for guidance and suggestions on how to comply and IIABSC is currently working out how it will educate its members, which will likely include seminars, webinars and meetings around the state.

IIABSC will also be looking to SCDOI for guidance on how entities can comply. Shepperd is hopeful that the industry associations will be part of that discussion.

For its part, SCDOI said it will provide “comprehensive guidance” to the industry regarding implementation and compliance, according to a statement from the department.

“The department is already working on pieces of this guidance, including the process for reporting a cybersecurity event as defined under the law and is working with the NAIC in an effort to ensure consistency amongst the states as this legislation is enacted,” said Katie Geer, Public Information coordinator. “This legislation has staggered effective dates, so we anticipate focusing on those aspects of the law that will become effective first and may provide subsequent guidance on other portions in order to provide timely, complete information to our licensees.”