The SC Insurance Data Security Act requires insurance providers to develop and maintain a comprehensive information security program that mirrors the size and complexity of their business model and includes third-party service providers.
This act refers to any business-related information controlled by the insurance providers that would have a material adverse impact if it was disclosed, tampered with or accessed. In addition, the act includes personal customer information such as social security numbers, driver’s license number, banking, and credit card information, personal health information and security codes or passwords.
Insurance providers are required to designate staff or an outside vendor to be responsible for the program. The designated entity should be qualified at identifying foreseeable internal and external threats that may result in unauthorized access, misuse, or destruction of business records or client information. In conjunction with those duties, the designated entity will ensure that adequate policies and procedures are in place to cover employee training, address data retention & deposal, cover threat detection, threat prevention, and threat response.
Policies & Plans
Written policies should outline competent practices addressing cyber security issues relating to the computer network, software, information classification system, and all pertinent data. Additionally, policies should address security measures to restrict access to nonpublic information, provide duel factor authentication, encrypt data, establish network monitoring, and data backups. Plans should require reoccurring security assessments that probe the organization for any shortfalls and build on the successes of their security plan.
A detailed incident response plan must show how the company will react to a cybersecurity event. This detailed plan should address the goals of the incident response plan, assign clear roles and responsibilities of responding parties, establish decision-making authority, outline internal and external communications & information sharing, address the proper documentation and reporting for any incident, identify weaknesses, enact remediation, and evaluate the effectiveness of the incident response plan.
Annually, the insurance provider must submit a report to the Director for the Department of Insurance by the fifteenth of February certifying their compliance with the requirements of this act. All records should be maintained for five years. These records may be subject to review by the director or her/her designee.
Insurance providers have until July 1, 2019, to meet their specific requirements. All of their third-party service providers must meet requirements of this act by July 1, 2020, when it becomes fully enforced.
If you are a South Carolina licensee who falls under the Information Data Security Act, Tandem Cyber Solutions can help you with the required security assessments and develop a comprehensive Information Security strategy. We aim to remove barriers for our clients so they can focus on their business.
For more information on SCIDSA check out some of our other popular blogs:
If you have any questions on SC Insurance Data Security Act compliance, Call Tandem Cyber Solutions today!
Co-founder + VP of Operations
Keith Small is a retired professional law enforcement officer. Having sharpened an inquisitive mindset over almost three decades in criminal investigations and police work, he is now focused on applying his craft to protecting businesses from cybercriminals. Focusing on analysis and forensics, he relentlessly pursues knowledge in current tactics and cyber-criminal behaviors.