SCIDSA Update
On January 1, 2019, parts of the South Carolina Insurance Data Security Act (SCIDSA) became effective. Over the next 17 months, other key parts of the law will be phased in until the act is fully in effect on July 1, 2020.
Let’s review whom the SCIDSA applies to and what requirements are active now and when the other requirements will be phased in.
South Carolina Insurance Data Security Act
The SCIDSA is a South Carolina state law enforced by the Department of Insurance. The act establishes mandatory standards for those who are licensed by the Department of Insurance. SCIDSA mandates requirements for those licensed individuals or entities as it pertains to data security. These requirements include breach investigation, notification for a cybersecurity event, and the annual compliance certification. The focus of the law is to safeguard the nonpublic information of the licensees and their customers.
Does the SCIDSA pertain to me?
If you are in the insurance world, SCIDSA probably includes you. Included are individuals and organizations licensed by the South Carolina Department of Insurance to perform several insurance functions (listed below) or are a third-party service provider of these entities. As a third-party service provider, this act only applies if you maintain, process, store, or are permitted to access any nonpublic information.
Covered Roles:
Domestic Insurer
Health Maintenance Organization
Professional Surety Bondsmen & Runners
Third-party Administrator
Producers
Brokers
Adjusters
Managing General Agency
Are there, exemptions?
For some licensed folks or organizations in South Carolina, there are exceptions to the SCIDSA. Your exemption mainly pertains to the requirements to establish and maintain a formal information security program. However, be cautioned that even if you qualify for one, other requirements of the SCIDSA still apply. As a licensee, you still must, investigate cybersecurity events as outlined by SCIDSA and notify the Director of Insurance of these events.
Categories of Exemptions for Licensees:
Organizations with less than 10 employees
Organizations covered by the information security program of another licensee
HIPAA compliant Organizations
Organizations compliant with the New York Cyber Security Regulation
Organizations with less than 10 employees
Organizations covered by the information security program of another licensee
Does the SCIDSA apply to all licensees?
SCIDSA does not apply in several cases. If an organization or licensee :
- Does not keep their records in an electronic format
- Only keeps the nonpublic information of the parent company or affiliate
- Risk-retention groups chartered in another state or assuming insurers chartered in other states
Implementation Calendar for SCIDSA
January 1, 2019
After January 1, 2019, anyone who does not meet and exemption or exception to the requirements have an affirmative obligation to conduct a prompt investigation of a cybersecurity event and maintain the records for five years.
You must notify the Director of Insurance of a cybersecurity event within 72 hours of the confirmation of an event meeting the criteria.
July 1, 2019
After July 1, 2019, you are also required to meet the requirements of section 38-99-20. This requires that you establish a comprehensive, written information security program that adheres to security best practices for an entity of your size and complexity. This includes such things as:
Exercise due diligence in selecting its third-party service provider
Ensure that third-party service providers implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that they are accessible to, or held by, the third-party service provider
February 15, 2020
After February 15, 2020, you will be required to submit a written statement to the Director of Insurance annually certifying that you are following Section 38-99-20.
July 1, 2020
After July 1, 2020, you will be required to meet additional requirements pertaining to third-party service providers set out by Section 38-99-20(F). The additional requirements are:
Exercise due diligence in selecting its third-party service provider
Ensure that third-party service providers implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that they are accessible to, or held by, the third-party service provider
Conclusion
Hopefully, this blog gives you an indication of whether you need to take immediate action or have time to prepare for the upcoming deadlines. Much of the information provided here comes from the website for the South Carolina Department of Insurance and the PowerPoint presentation released by them. You can find out more about the SCIDSA from my other blogs.
Check out some of our other popular blogs:
5 Must-Have Elements of an IDSA Information Security Plan
What does South Carolina Insurance Data Security Act mean for third-party providers?
As a small insurance agency, how do I know if I have been breached?
If you have any questions on SC Insurance Data Security Act compliance, Call Tandem Cyber Solutions today!
(843)309-3508
Author
VP of Operations
Keith Small
Co-founder + VP of Operations
Keith Small is a retired professional law enforcement officer. Having sharpened an inquisitive mindset over almost three decades in criminal investigations and police work, he is now focused on applying his craft to protecting businesses from cybercriminals. Focusing on analysis and forensics, he relentlessly pursues knowledge in current tactics and cyber-criminal behaviors.
0 Comments