Update
On January 1, 2019, parts of the South Carolina Insurance Data Security Act (SCIDSA) became effective. Over the next 17 months, other key parts of the SCIDSA will be phased in until the act is fully in effect on July1, 2020.
Let’s review who the SCIDSA applies to and what requirements are active now and when the other requirements will be phased in.
Let’s review who the SCIDSA applies to and what requirements are active now and when the other requirements will be phased in.
South Carolina Insurance Data Security Act
The SCIDSA is a South Carolina state law enforced by the South Carolina Department of Insurance. The act (SCIDSA) establishes mandatory standards for those whom are licensed by the Department of Insurance. SCIDSA mandates requirements for those licensed individuals or entities as it pertains to data security, breach investigation, notification for a cybersecurity event and the annual requirement to submit a written statement to the Director of Insurance attesting your full compliance with the standards of this act (SCIDSA). The focus of the act is to safeguard the nonpublic information of the licensees and their customers.
Does the SCIDSA pertain to me?
If you or an organization you work for are licensed by the South Carolina Department of Insurance to perform several insurance functions (listed below) or are a third-party service provider of these entities, the SCIDSA applies to you. As a third-party service provider, this act only applies if you maintain, process, store, or are permitted to access any nonpublic information.
Covered Roles:
- Domestic Insurer
- Health Maintenance Organization
- Professional Surety Bondsmen & Runners
- Third-party Administrator
- Producers
- Brokers
- Adjusters
- Managing General Agency
Are there exemptions?
For some licensed folks or organizations in South Carolina, there are exceptions to the SCIDSA. However, be cautioned that even if you qualify for one of the exceptions below, other requirements of the SCIDSA still apply.
If you meet one of the exemptions, do you still have other requirements from the SCIDSA? The short answer is yes. Your exemption mainly pertains to the requirements to establish and maintain a formal information security program. As a licensee you still must, investigate cybersecurity events as outlined by SCIDSA and notify the Director of Insurance of these events.
If you meet one of the exemptions, do you still have other requirements from the SCIDSA? The short answer is yes. Your exemption mainly pertains to the requirements to establish and maintain a formal information security program. As a licensee you still must, investigate cybersecurity events as outlined by SCIDSA and notify the Director of Insurance of these events.
Categories of Exemptions for Licensees:
- Organizations with less than 10 employees
- Organizations covered by the information security program of another licensee
- Organizations HIPAA compliant
- Organizations compliant with the New York Cyber Security Regulation
Organizations with less than 10 employees
Those individuals or entities with less than 10 employees are exempt from the formal information security program as defined by section 38-99-20 of the SCIDSA.
Organizations covered by the information security program of another licensee
If you or your entity is covered by the cybersecurity program of another licensee, then you are exempt from the formal information security program as defined by section 38-99-20 of the SCIDSA.
Organizations HIPAA compliant
If you or your entity already complies with the more stringent federal guidelines outlined by HIPAA, you are exempt from the formal information security program as defined by section 38-99-20 of the SCIDSA. You must notify the Department of Insurance certifying that you are HIPAA compliant.
Those individuals or entities with less than 10 employees are exempt from the formal information security program as defined by section 38-99-20 of the SCIDSA.
Organizations covered by the information security program of another licensee
If you or your entity is covered by the cybersecurity program of another licensee, then you are exempt from the formal information security program as defined by section 38-99-20 of the SCIDSA.
Organizations HIPAA compliant
If you or your entity already complies with the more stringent federal guidelines outlined by HIPAA, you are exempt from the formal information security program as defined by section 38-99-20 of the SCIDSA. You must notify the Department of Insurance certifying that you are HIPAA compliant.
Organizations compliant with the New York Cyber Security Regulation
If you or your entity already complies with the standards of the New York Cybersecurity Regulation and certify this compliance with the Department of Insurance, you are exempt from the formal information security program as defined by section 38-99-20 of the SCIDSA.
Does the SCIDSA apply to all licensees?
The SCIDSA does not apply to any licensee that does not keep any of their records in an electronic or digital format. If you do not electronically collect or store the nonpublic information of your entity or customers, then the SCIDSA does not apply. If you only keep the nonpublic information of your parent company or affiliate, the SCIDSA does not apply to you.
If you are a risk retention group chartered in another state or assuming insurers chartered in other states, the SCIDSA also does not apply to you.
If you are a risk retention group chartered in another state or assuming insurers chartered in other states, the SCIDSA also does not apply to you.
Calendar of Implementation for SCIDSA Components
January 1, 2019
After January 1, 2019, anyone who does not meet and exemption or exception to the requirements have an affirmative obligation to conduct a prompt investigation of a cybersecurity event and maintain the records for five years.
You must notify the Director of Insurance of a cybersecurity event within 72 hours of the confirmation of an event meeting the criteria.
July 1, 2019
After July 1, 2019, you are also required to meet the requirements of section 38-99-20. This requires that you establish a comprehensive, written information security program that adheres to security best practices for entity of your size and complexity. This includes such things as:
After January 1, 2019, anyone who does not meet and exemption or exception to the requirements have an affirmative obligation to conduct a prompt investigation of a cybersecurity event and maintain the records for five years.
You must notify the Director of Insurance of a cybersecurity event within 72 hours of the confirmation of an event meeting the criteria.
July 1, 2019
After July 1, 2019, you are also required to meet the requirements of section 38-99-20. This requires that you establish a comprehensive, written information security program that adheres to security best practices for entity of your size and complexity. This includes such things as:
- Exercise due diligence in selecting its third-party service provider
- Ensure that third-party service providers implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that they are accessible to, or held by, the third-party service provider
February 15, 2020
After February 15, 2020, you will be required to submit a written statement to the Director of Insurance annually certifying that you are following Section 38-99-20.
July 1, 2020
After July 1, 2020, you will be required to meet additional requirements pertaining to third-party service providers set out by Section 38-99-20(F). The additional requirements are:
- Exercise due diligence in selecting its third-party service provider
- Ensure that third-party service providers implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that they are accessible to, or held by, the third-party service provider
Conclusion
Hopefully this blog gives you an indication of whether you need to take immediate action or have time to prepare for the upcoming requirements.
Much of the information provided here comes from the website for the South Carolina Department of Insurance and the PowerPoint presentation released by them. You can however, find out more about the SCIDSA from my earlier blogs, from the links included or by contacting me.
Much of the information provided here comes from the website for the South Carolina Department of Insurance and the PowerPoint presentation released by them. You can however, find out more about the SCIDSA from my earlier blogs, from the links included or by contacting me.
SCIDSA Blogs –
https://www.tandemcybersolutions.com/blog/category/scidsa