South Carolina Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law on May 3, 2018. The law, parts of which become effective January 1, 2019, requires entities licensed by the Department of Insurance to, “develop, implement and maintain a comprehensive information security program based on the licensee’s Board of Directors, if applicable to require a licensee monitor the security program and make adjustments if necessary, to provide that the licensee must establish an incident response plan, to require a licensee to submit a statement to the Director of the Department of Insurance annually; to establish certain requirements for a licensee in the event of a cybersecurity event; to require a licensee to notify the Director of certain information in the event of a cybersecurity event; to grant the Director the power and authority to examine and investigate a licensee; to provide that documents, materials, or other information in the control or possession of the Department must be treated as confidential documents under certain circumstances; to provide exemptions from the provisions of this Chapter; to provide penalties for violations; and to authorize the Director to promulgate regulations.”
The state’s purpose of the Act is “to establish standards for data security and standards for the investigation of and notification to the director of a cybersecurity event applicable to licensees.” It does not provide a private right of action for violation of the Act.
Significantly, the definition of a cybersecurity event, which requires notification to the Department of Insurance, is broad—“an event resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system…” but “does not include the unauthorized acquisition of encrypted nonpublic information…” or “an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.”
The definition of non-public information is equally broad, and includes “business-related information of a licensee the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations, or security of a licensee;” and personal information of a consumer including the usual data elements such as Social Security number, account number, driver’s license, etc., but also biometric records, or any health care provider’s information regarding the provision of health care to a consumer, such as the physical, mental or behavioral health of a consumer or his or her family, or the payment for health care provided to a consumer. There does not appear to be any harm standard, which is present in many data breach notification laws. This means that if an entity is a licensee of the South Carolina Department of Insurance, the notification obligations to the Department may be required when notification to a consumer may not be required by the State’s data breach notification law.
More and more states are implementing data security laws that mirror other state laws, such as the Massachusetts Data Security Regulations, and the New York Financial Services Cybersecurity Regulations, but each law has its own nuances, including this one. It is challenging to stay abreast of new state laws, and licensees of the South Carolina Department of Insurance would do well to become familiar with the compliance requirements of this new law, as the time to implement measures for compliance is ticking.