SCIDSA Update

On January 1, 2019, parts of the South Carolina Insurance Data Security Act (SCIDSA) became effective. Over the next 17 months, other key parts of the law will be phased in until the act is fully in effect on July 1, 2020.

Let’s review whom the SCIDSA applies to and what requirements are active now and when the other requirements will be phased in.

South Carolina Insurance Data Security Act

The SCIDSA is a South Carolina state law enforced by the Department of Insurance.  The act establishes mandatory standards for those who are licensed by the Department of Insurance. SCIDSA mandates requirements for those licensed individuals or entities as it pertains to data security. These requirements include breach investigation, notification for a cybersecurity event, and the annual compliance certification. The focus of the law is to safeguard the nonpublic information of the licensees and their customers.

Does the SCIDSA pertain to me?

If you are in the insurance world, SCIDSA probably includes you. Included are individuals and organizations licensed by the South Carolina Department of Insurance to perform several insurance functions (listed below) or are a third-party service provider of these entities. As a third-party service provider, this act only applies if you maintain, process, store, or are permitted to access any nonpublic information.

Covered Roles:

Domestic Insurer

Health Maintenance Organization

Professional Surety Bondsmen & Runners

Third-party Administrator

Producers

Brokers

Adjusters

Managing General Agency

Are there, exemptions?

For some licensed folks or organizations in South Carolina, there are exceptions to the SCIDSA. Your exemption mainly pertains to the requirements to establish and maintain a formal information security program. However, be cautioned that even if you qualify for one, other requirements of the SCIDSA still apply. As a licensee, you still must, investigate cybersecurity events as outlined by SCIDSA and notify the Director of Insurance of these events.

Categories of Exemptions for Licensees:

Organizations with less than 10 employees

Organizations covered by the information security program of another licensee

HIPAA compliant Organizations

Organizations compliant with the New York Cyber Security Regulation

Organizations with less than 10 employees

Organizations covered by the information security program of another licensee

Does the SCIDSA apply to all licensees?

SCIDSA does not apply in several cases. If an organization or licensee :

  • Does not keep their records in an electronic format
  • Only keeps the nonpublic information of the parent company or affiliate
  • Risk-retention groups chartered in another state or assuming insurers chartered in other states

Implementation Calendar for SCIDSA

January 1, 2019

After January 1, 2019, anyone who does not meet and exemption or exception to the requirements have an affirmative obligation to conduct a prompt investigation of a cybersecurity event and maintain the records for five years.

You must notify the Director of Insurance of a cybersecurity event within 72 hours of the confirmation of an event meeting the criteria.

July 1, 2019

After July 1, 2019, you are also required to meet the requirements of section 38-99-20. This requires that you establish a comprehensive, written information security program that adheres to security best practices for an entity of your size and complexity. This includes such things as:

Exercise due diligence in selecting its third-party service provider

Ensure that third-party service providers implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that they are accessible to, or held by, the third-party service provider

February 15, 2020

After February 15, 2020, you will be required to submit a written statement to the Director of Insurance annually certifying that you are following Section 38-99-20.

July 1, 2020

After July 1, 2020, you will be required to meet additional requirements pertaining to third-party service providers set out by Section 38-99-20(F). The additional requirements are:

Exercise due diligence in selecting its third-party service provider

Ensure that third-party service providers implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that they are accessible to, or held by, the third-party service provider

Conclusion

Hopefully, this blog gives you an indication of whether you need to take immediate action or have time to prepare for the upcoming deadlines. Much of the information provided here comes from the website for the South Carolina Department of Insurance and the PowerPoint presentation released by them. You can find out more about the SCIDSA from my other blogs.

 

Check out some of our other popular blogs:

5 Must-Have Elements of an IDSA Information Security Plan

What does South Carolina Insurance Data Security Act mean for third-party providers?

As a small insurance agency, how do I know if I have been breached?

 

If you have any questions on SC Insurance Data Security Act compliance, Call Tandem Cyber Solutions today!


(843)309-3508

 

Author

VP_Ops

VP of Operations

Keith Small
Co-founder + VP of Operations

Keith Small is a retired professional law enforcement officer. Having sharpened an inquisitive mindset over almost three decades in criminal investigations and police work, he is now focused on applying his craft to protecting businesses from cybercriminals. Focusing on analysis and forensics, he relentlessly pursues knowledge in current tactics and cyber-criminal behaviors.


Keith Small

Keith Small is a retired professional law enforcement officer. Having sharpened an inquisitive mindset over almost three decades in criminal investigations and police work, he is now focused on applying his craft to protecting businesses from cyber criminals. Focusing on analysis and forensics, he relentlessly pursues knowledge in current tactics and cyber-criminal behaviors

0 Comments

Leave a Reply