South Carolina has recently enacted a new insurance data security law entitled the South Carolina Insurance Data Security Act. The new legislation generally applies to licensees (any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered, under the insurance laws of South Carolina) with ten or more employees or independent contractors.

The Act requires, amongst other things, that licensees develop and maintain a comprehensive written information security program designed to protect the security, confidentiality, and integrity of non-public information; undertake a risk assessment of the licensee’s operations; implement measures to manage threats to nonpublic information; and exercise due diligence in selecting third-party service providers. Licensees must now also submit an annual statement to the Director for the South Carolina Department of Insurance certifying that the licensee is in compliance with the Act.

Licensees are required to fully investigate and remediate cybersecurity events and also provide notification to the Director within 72-hours after a cybersecurity event has occurred. Information concerning cybersecurity events must be retained for a period of at least five years from the date of the event. The Act also requires compliance with other data breach or cybersecurity laws, including South Carolina’s general data breach notification law which currently requires immediate notification to consumers upon discovery of a data breach involving personal identifying information.

The Act departs from typical data security legislation due to the scope of covered information included in the definition of “nonpublic information.” Non-public information is information that is not publicly available and includes the personal information of consumers as well as certain business-related information of licensees.

Although the Act became effective on January 1, 2019, licensees will have until July 1, 2019 to implement the information system program requirements and until July 1, 2020 to implement provisions related to third-party providers.

The full text of the South Carolina Insurance Data Security Act is located here.