The National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (MDL-668) was finalized in October 2017 and subsequently passed in South Carolina, Ohio, Michigan, and Mississippi. Moreover, the NAIC model borrowed heavily from the New York Department of Financial Services Cybersecurity Regulation (23 N.Y.C.R.R. Part 500). The NAIC’s 2017 passage of MDL-668 set the stage for several state legislatures to include it on their legislative calendars.
In May 2018, South Carolina passed its own version of the NAIC model, which was quickly signed into law by its governor, Henry McMaster. South Carolina was the first state to pass the NAIC model and the only one thus far to have passed it almost exactly as drafted at the NAIC.
The NAIC model only matters insofar as it is adopted by states. To that end, this is the first in a series of blog posts to examine how the states that have passed the model have done so thus far, starting with South Carolina.
The South Carolina Insurance Data Security Act
The South Carolina Insurance Data Security Act (H.B. 4655) went into effect at the beginning of 2019, and its compliance requirements will be in full effect beginning on July 1, 2020. Like the NAIC model, the South Carolina law applies to all “licensees,” which are defined as insurers, insurance agents, and other licensed entities (agencies, brokers, carriers, etc. that are licensed to conduct insurance business in South Carolina).
The South Carolina law requires its “licensees” to:
- Develop, implement, and maintain a comprehensive information security program that contains safeguards to protect nonpublic information and the licensee’s information system (by July 1, 2019)
- Perform a risk assessment that includes determining whether it is appropriate to implement protections like multifactor authentication, regular penetration testing, and the encryption of data at rest
- Require third-party service providers to create security measures to protect information systems and personal information (by July 1, 2020)
- Report data security breaches within 72 hours of the breach, if it affects 250 or more residents of South Carolina
- Create minimum requirements for boards of directors in South Carolina to oversee the development and implementation of a cybersecurity program, like requiring the licensee’s executives to report in writing to the board the status of the entity’s information security program
Carriers that already comply with the cybersecurity provisions of the Health Insurance Portability Accountability Act (HIPAA) are exempt from the South Carolina law, if they give the South Carolina Department of Insurance a written statement of HIPAA compliance.