Now is the time to audit your data security practices. Compliance is not a fast task. The deadlines are on the horizon, and for those insurance companies just beginning the South Carolina Insurance Data Security Act (SCIDSA) compliance journey, they will be lucky to finish in time; Starting July 1, 2019, SCIDSA will become enforceable. Those businesses partnered with third-party service providers who have access to their data will get an additional twelve months (July 1, 2020) to ensure their third-party affiliates meet the standards of the act.
Non-compliance with the act may surface through a variety of ways. An insurance entity fails when they do not submit a yearly report, fails to report a cybersecurity event, or underperforms during a normal examination of a licensed party. With most laws, failure occurs from not understanding the framework. Businesses owners aren’t expected to understand cybersecurity practices and IT Management companies are usually not experts either. Third-Parties like Tandem who focus on compliance are your best bet for checking all the right boxes.
Insurers found to violate this act can face both civil and criminal penalties. Under administrative penalties for other than willful violations, insurers face a possible suspension or revocation of their authority to conduct business in this state and/or a fine up to $15,000. For willful violations, administrative fines can increase to $30,000.
If the violator is a person other than the insurer, which is involved in a non-willful act, fines may not exceed $2,500 and/or suspension or revocation of the person’s license. If it is a willful violation, the fine limit increases to $5,000.
Criminal penalties set forth by South Carolina law under the statutes as they pertain to insurance allow for a misdemeanor charge that carries the possibility of punishment of up to two years in jail and/or a fine up to $2,500.
Keep in mind that this law does not provide grounds for civil action nor curtail the action if a cause exists.
So if you are reading this and thinking that there is plenty of time, there probably isn’t. Don’t underestimate the time needed to develop a well thought out, multi-layered information security program, incident response policy, and educate your employees about it. If you have multiple third-party service providers, you will need time to understand their administrative, technical, and physical security measures as it pertains to your data. It will take time to coordinate any changes to third-party practices to meet the requirements of this act. Some third-party service providers may not be open to sharing their methodology with you or changing it. If this is the case, finding a new third-party service provider or implementing an in-house solution will be lengthy.
Now is a great time to familiarize yourself with the requirements of the act or find an outside vendor that can do it for you. Tandem Cyber Solutions can help you with the required security assessments and develop a comprehensive Information Security strategy. We aim to remove barriers for our clients so they can focus on their business.
For more information on SCIDSA check out some of our other popular blogs:
If you have any questions on SC Insurance Data Security Act compliance, Call Tandem Cyber Solutions today!
Co-founder + VP of Operations
Keith Small is a retired professional law enforcement officer. Having sharpened an inquisitive mindset over almost three decades in criminal investigations and police work, he is now focused on applying his craft to protecting businesses from cybercriminals. Focusing on analysis and forensics, he relentlessly pursues knowledge in current tactics and cyber-criminal behaviors.