South Carolina passed a bill requiring all insurance entities in the state to create a cybersecurity program to protect their businesses and customers from data breaches, becoming the first state to pass such a measure.
Under the South Carolina Department of Insurance Data Security Act, licensees, including insurers, agents, carriers and other licensed entities, must develop and maintain an information security program based on ongoing risk assessment, oversee third-party service providers, protect consumer information, establish data security standards and investigate data breaches. They must also notify regulators of a cybersecurity event within 72 hours if the event affects at least 250 people and has impact on South Carolina consumers.
Licensees are required to submit their program to the South Carolina Department of Insurance by July 1, 2019, and compel their third-party service providers to implement the security measures by July 1, 2020. Insurers domiciled in the state are required to submit a statement annually to the department certifying compliance with the requirements.
Companies with less than 10 employees and independent contractors are exempt from the measure.
The bill, which follows the National Association of Insurance Commissioner's Insurance Data Security Model Law, was signed May 3 by Gov. Henry McMaster and is set to take effect Jan. 1, 2019, the Insurance Journal reported.
