South Carolina Becomes the First State to Enact the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law

In October 2017, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law.  According to NAIC’s news release announcing this development, the Model Law was meant to build on the organization’s cybersecurity progress and create a “platform that enhances our mission of protecting consumers.”  (For more information on the development of the Model Law, see our prior coverage.) 

On May 3, 2018, South Carolina became the first state to enact this Model Law, in the form of the South Carolina Insurance Data Security Act (H.B. 4655).  By doing so, South Carolina joined Connecticut and New York as states with cybersecurity regulations for insurance companies.  See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500.

South Carolina’s Act – which will go into effect on January 1, 2019, with compliance requirements fully enacted by July 1, 2020 – applies to all licensees, defined as insurers, agents, and other licensed entities.  This means all insurance agencies, brokers, and carriers doing business in South Carolina are covered, and the law requires these entities to:

  • Develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to protect nonpublic information and the licensee’s information system by July 1, 2019;
  • Perform a risk assessment that includes determining the appropriateness of implementing protections such as multifactor authentication, regular penetration testing, and encrypting data at rest;
  • Require their third-party service providers to implement security measures to protect and secure any information systems and personal information by July 1, 2020;
  • Report data breaches within 72 hours of the event occurring if it affected 250 or more South Carolina residents; and
  • Establish minimum requirements for boards of directors to oversee the development and implementation of the cybersecurity program, such as requiring the licensee’s executive management to report in writing to the board of directors the overall status of the information security program.

Insurance companies that are compliant with cybersecurity provisions of the Health Insurance Portability Accountability Act (“HIPAA”) are exempt from the Act, as long as they submit a written statement certifying its compliance.

Going forward, South Carolina may become the first of many states to adopt the Insurance Data Security Model Law.  The Rhode Island General Assembly introduced a version of the Model Law in February 2018, and Vermont and Nevada are considering doing the same.