South Carolina was the first state that created a law to specifically regulate the insurance industry and its electronic records database. Passed by the South Carolina Legislature in 2018 and effective January 1, 2019, the Department of Insurance is slowly implementing sections with July 1, 2019, as the next milestone. Since SC signed the law into existence several other states have followed suit, indicating a trend of a more heavy-handed approach to protecting sensitive data across the nation. The intent of the South Carolina Information Data Security Act is to establish standards for data security, cybersecurity event investigations and reporting cybersecurity events for the insurance industry. (click [here] to view the law in full)
What is a cybersecurity event?
Like most regulations, IDSA has a definition for what it considers a reportable incident aka a breach and in the department of insurance terminology, it is called a cybersecurity incident. DOI defines the term as “an event resulting in the unauthorized access of, the disruption of, or the misuse of an information system or the information stored there.” Or in layman terms when someone gets access to non-public information they shouldn’t have.
Agencies with less than 10 employees
IDSA applies to agencies big or small but has slightly different requirements for those above and below the 10-employee mark. For the small group, they must monitor for cyber security events and be able to thoroughly investigate the events when they occur. Because most small to medium-sized businesses lack these capabilities, third-party vendors can be used to cost-effectively fill the gap.
With any reportable incident, the agency must report the breach within 72 hours of confirming the cyber security event. After the event investigation is complete, the agency must maintain the report for 5 years including information on the incident and any preventive steps taken.
Agencies with more than 10 employees
The biggest difference between the big agencies and small agencies is that the larger agencies must have a written information security program in place that cover business IT operations and third-party vendors and maintain these records for five years. As a good rule of thumb, the plan should cover at minimum incident prevention, detection, response, recovery, risk assessments, gap mitigation, employee training, and documentation. Because no single plan works for every agency, the DOI leaves requirements vague cautioning that plans should meet the size and complexity needs of each agency. Going further than other regulations, the DOI requires that all larger agencies must submit a written statement declaring their full compliance with IDSA requirements annually to the director.
What’s the big deal?
The Department of Insurance has levied significant requirements on insurance agencies and their vendors; keeping a close eye on their efforts to prevent cyber-attacks. Unlike other regulations, such as HIPAA, who don’t require yearly paperwork submissions, the IDSA is ensuring the Insurance community stays on their toes and protects their clients. Smaller to medium size businesses may face more difficulties implementing the next phase of the plan than those bigger institutions with robust IT departments.
For more information …
For more information on the South Carolina Insurance Data Security Act stay tuned in to our blogs and keep an eye on the official Department of Insurance website for updates. Reach out to us within specific questions on how this new act may affect your business.
VP of Operations + CO-Founder
Keith Small is a retired professional law enforcement officer. Having sharpened an inquisitive mindset over almost three decades in criminal investigations and police work, he is now focused on applying his craft to protecting businesses from cyber criminals. Focusing on analysis and forensics, he relentlessly pursues knowledge in current tactics and cyber-criminal behaviors.