South Carolina recently became the first state to pass legislation modeled closely on the Insurance Data Security Model Law that was approved by the National Association of Insurance Commissioners (NAIC) last October. Amid the rising incidence of cyberattacks, cyber security is a key issue facing the insurance sector. South Carolina has taken a proactive step in protecting their business and customers from possible data breaches.
The South Carolina Department of Insurance (SCDOI) Data Security Act, signed by the Governor on May 3, 2018, will become effective January 1, 2019. Among other things, all insurers, agents, and other licensed entities doing business in the state will be required to establish a comprehensive, written information security program by July 1, 2019. The Act also requires each insurer provide an annual certification of its compliance. There are stringent and prompt deadlines for the investigation and reporting of any “cybersecurity event,” involving “nonpublic information,” both of which are defined broadly.
South Carolina joins other states that have implemented data security laws, such as the Massachusetts Data Security Regulations, and the New York Financial Services Cybersecurity Regulations. The Rhode Island General Assembly is currently considering a similar measure. However, each law has its own nuances, leading to worries throughout the insurance industry of the effects of patchwork regulations. If future cybersecurity regulations passed in other states have differing or conflicting rules and security standards, consumers are left vulnerable to cyber-attacks and there are more burdens on the insurance industry. The SCDOI has said it will provide “comprehensive guidance” to the industry regarding implementation and compliance, and it is working with the NAIC to ensure consistency amongst the states as more cyber security legislation is enacted.