Co-Founder + Forensic Expert
Inclusion & Exclusion
For those agencies that are covered by HIPAA , IDSA compliance is inherent because the Health Act is more stringent. The Department of Insurance is drafting a to certify organizational exclusion from the Insurance Data Security Act.
Access & Encryption
Encryption is unfortunately a topic where IDSA diverges from common information security practices. The security act does not require that companies encrypt any of their data or information. However, a company should still implement encryption because having data locked away could save the organization millions in fines and costs from a breach. Encryption protects the data and in the case of theft is not considered a reportable event by the Department of Insurance unless the key is also stolen.
Third-party Services Providers
A little unclear at this time are the ramifications when a third-party service provider fails to cooperate with the insurance licensee to develop a comprehensive information security plan. Does an insurance licensee have to find a new provider or move the services back within their control? Hopefully as this act matures like HIPAA, these questions will be answered.
Additionally, the thoroughness of the risk assessment depends upon the complexity of the entity’s operational and information systems but should include all facets of the business operations and information security. Each licensee will have to evaluate the scope of their operation and make sure the security measure is commensurate.
Licensees may conduct the risk assessment in house if they have the expertise, such as qualified cyber security professionally. However, if the assessment is handed off to a third-party service provider, the provider must meet the requirements of this act if they have access to the non-public information. Either way the Information Security Plan (ISP) will be based on the outcome of the assessment. Currently a format for the assessment report is defined and the reports must be kept by the licensee for five years.
Cyber Security Event
More IDSA Info
The Department of Insurance encourages licensees and third-party service providers to sign up for bulletins and press releases on their website at www.doi.sc.gov . Once on the website, click the button for “Notification Subscriptions”.
The Department of Insurance hopes to have a live webinar/seminar on this topic on September 10, 2018. Updated information on this event will be pushed out through their notification system.