Bulletin: SC2018003

Dear Associates:

The South Carolina Insurance Data Security Act (2018 S.C. Act No. 171 (“Act”)) was recently enacted and is codified as Chapter 99 of Title 38 of the South Carolina Code of Laws. This Bulletin addresses general requirements under the Act. The Act becomes effective on January 1, 2019. Beginning on that date, licensees subject to the Act must provide notice of a Cybersecurity event to the South Carolina Department of Insurance.

The Act applies to all licensees of the South Carolina Department of Insurance. "Licensee" is defined by the Act to include "any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State." It expressly excludes (i) out of state purchasing groups or risk retention groups; and (ii) out of state licensees who are only acting as an assuming reinsurer.

Under the Act, a “Cybersecurity event” is defined as “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.” The term “Cybersecurity event” does not include the unauthorized acquisition of encrypted nonpublic information if the encryption process or key is not also acquired, released or used without authorization. Cybersecurity event does not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed. Loss of information only in paper format does not constitute a Cybersecurity event.

Licensees will not be required to notify the Department of temporary disruptions in service due to power outages or other benign causes unless that disruption results in the unauthorized access, misuse or disruption of the licensee’s information system or that of its third-party service provider.

Licensees subject to the Act must notify the Director of the South Carolina Department of Insurance within 72 hours after determining that a Cybersecurity event has occurred if 1) South Carolina is the licensee’s domicile; or 2) the licensee is not domiciled in South Carolina, but it is reasonably believed to have involved the release of nonpublic information of 250 or more South Carolina consumers and the Cybersecurity event impacts the licensee such that notice must be provided to another state or federal governmental entity, or there is a reasonable likelihood of material harm to a South Carolina consumer or material parts of the licensee’s operations.

The Act requires licensees to develop, implement and maintain a comprehensive written information security program based upon the licensee's risk assessment that provides protection for nonpublic information and the licensee's information systems. The information security program should be appropriate for the size and complexity of the licensee's business and the information it collects. 

The Act also:

• Establishes requirements for the information security program;
• Provides minimum requirements for a licensees' Board of Directors regarding the Board's oversight of the licensees' information security program;
• Requires licensees to establish an incident response plan and establishes requirements for the incident response plan;
• Requires insurers to submit an annual statement to the Director certifying they are in compliance within the Act;
• Establishes requirements and obligations for a licensee in the event of a cybersecurity event;
• Grants the Director authority to examine and investigate a licensee's compliance with the Act;
• Provides that documents, materials, or other information in the control or possession of the Department of Insurance obtained in an investigation or examination must be treated as confidential and privileged, but the Director may use such information in furtherance of a regulatory action and share or receive confidential documents under certain circumstances;
• Provides penalties for violations of the Act; and
• Authorizes the Director to promulgate regulations necessary for the administration of the Act.

The legislation becomes effective on January 1, 2019. Beginning on that date, licensees must comply with the reporting requirements regarding a cybersecurity event, among other requirements.

Licensees have until July 1, 2019, to implement Section 38-99-20 of this Act, and until July 1, 2020, to implement Section 38-99-20(F) of this Act. These sections deal with implementing and maintaining a data security program.

Under Section 38-99-20(H)(2)(1), insurers domiciled in this state will need to submit an annual written statement to the Director by February 15, 2020, certifying their compliance with the data security program requirements.

More information, including the “Report a Cybersecurity Event” form, can be found at http://www.doi.sc.gov/918/Cybersecurity.

If you have any questions relating to this or other bulletins, please contact a Stewart Title Guaranty Company underwriter.

For on-line viewing of this and other bulletins, please log onto www.vuwriter.com.