South Carolina has become the first state to enact an insurance data security act based on the Insurance Data Security Model Law drafted by the National Association of Insurance Commissioners, which is based on New York’s Cybersecurity Regulations (23 N.Y.C.R.R. Part 500).
The South Carolina Insurance Data Security Act (“Act”) sets forth a comprehensive and rigorous framework of information security practices for covered entities in the insurance industry, including detailed obligations with respect to the implementation of a written information security program and incident response plan. The Act also sets forth investigation and notification requirements in case of a cybersecurity event that will exist in tandem with any duties under South Carolina’s data breach statute.
The Act goes into effect on January 1, 2019. Covered entities must implement a compliant written information security program by July 1, 2019. We summarize the key provisions below.
THE ACT CREATES OBLIGATIONS FOR LICENSEES AND THIRD-PARTY SERVICE PROVIDERS
The Act’s obligations apply to any “licensee,” which is defined as “a person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws” of South Carolina. The definition specifically excludes: (1) a purchasing group or a risk retention group chartered and licensed in a state other than South Carolina; or (2) a licensee acting as an assuming insurer (i.e., a reinsurer) that is domiciled somewhere other than South Carolina.
The Act also sets forth licensee obligations with respect to the oversight of a “third-party service provider,” which is defined as “a person not otherwise defined as a licensee that contracts with a licensee to maintain, process, store or otherwise is permitted access to nonpublic information.”
A “person” is any individual or any nongovernmental entity.
THE ACT PROTECTS INFORMATION SYSTEMS AND NONPUBLIC INFORMATION
The Act’s purpose is to safeguard the security of a licensee’s “information system” and the security of “nonpublic information” that is held by, or accessible to, a licensee or its third-party service provider. An “information system” is defined as “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial or process controls systems, telephone switching and private branch exchange systems, and environmental control systems.” Notably, the definition of “information system” does not require that it contain sensitive or personally identifying information.
“Nonpublic information” means information that is not publicly available information and is:
- business-related information of a licensee the tampering with which, or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee; or
- any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify such consumer, in combination with any one or more of the following data elements:
- social security number;
- driver’s license or nondriver identification card number;
- account number or credit or debit card number;
- security code, access code, or password to access a consumer’s financial account; or
- biometric records; or
- any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer and that relates to:
- the past, present or future physical, mental or behavioral health or condition of a consumer or a member of the consumer's family;
- the provision of health care to a consumer; or
- payment for the provision of health care to a consumer.
“Consumer” is defined as any South Carolina resident whose nonpublic information is in a licensee’s possession, custody, or control, including but not limited to an applicant, policyholder, insured, beneficiary, claimant, and certificate holder.
Excluded from the definition of “nonpublic information” is information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local governmental records, widely distributed media, or disclosures to the public required by law. Pursuant to the Act, a licensee has a reasonable basis for such belief if the licensee has taken steps to determine: (1) that the information is of the type that is available to the general public, and (2) whether a consumer can direct that the information not be made available to the general public and, if so, that the consumer has not done so.
LICENSEES MUST IMPLEMENT A COMPREHENSIVE WRITTEN INFORMATION SECURITY PROGRAM
The Act is primarily focused on setting forth in detail a licensee’s obligations to “develop, implement, and maintain a comprehensive written information security program.” An “information security program” (“ISP”) must be based on a licensee’s risk assessment and should contain safeguards for the protection of nonpublic information and a licensee’s information systems. The ISP should be commensurate with: (1) the licensee’s size and complexity, (2) the nature and scope of the licensee’s activities, including its use of third-party service providers, and (3) the sensitivity of the nonpublic information used by the licensee or in its possession, custody, or control.
The goals of an ISP are to: (1) protect the security of nonpublic information and any information system; (2) protect against the unauthorized access to or use of nonpublic information; (3) minimize the likelihood of harm to a consumer; and (4) develop a schedule for the retention and destruction of nonpublic information.
The following sets forth the key components of a compliant ISP.
The Licensee Must Conduct a Risk Assessment
The Act sets forth a multitude of factors that a licensee must consider as part of the risk assessment that it is required to perform in order to develop a compliant ISP. Some of the important factors include:
- designating one or more employees, an affiliate, or an outside vendor to have primary responsibility for the program;
- identifying reasonably foreseeable internal or external threats that could result in the unauthorized access to, or transmission, disclosure, misuse, alteration, or destruction of, nonpublic information accessible to, or held by, a licensee or a third-party service provider;
- assessing the sufficiency of policies, procedures, information systems, and other safeguards in place to manage threats, which should be an ongoing process; and
- implementing information safeguards to manage the threats, and assessing the effectiveness of those safeguards at least annually.
Specific Security Measures Must Be Implemented by the Licensee
As part of maintaining an ISP, a licensee must: (1) include cybersecurity risks in its enterprise risk management process; (2) stay informed of emerging threats or vulnerabilities; and (3) provide personnel with cybersecurity awareness training that reflects any identified risks. The Act also enumerates security measures that a licensee must implement if it has deemed it appropriate to do so. These measures include the following:
- placing access controls on information systems, including controls to authenticate and permit access only to authorized individuals with respect to nonpublic information (including multifactor authentication procedures);
- encrypting or otherwise protecting all nonpublic information being transmitted over an external network and stored on any portable computing or storage device or media;
- adopting secure development practices for in-house developed applications, and procedures for testing the security of externally developed applications;
- including audit trails designed to detect and respond to a cybersecurity event and reconstruct material financial transactions sufficient to support the licensee’s normal operations and obligations;
- protecting against environmental hazards, catastrophes, and technological failures; and
- developing procedures for the secure disposal of nonpublic information in any format.
A Written Incident Response Plan Must Be Developed
As part of its ISP, a licensee must establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises: (1) nonpublic information in its possession; (2) the licensee’s information systems; or (3) the continuing functionality of any aspect of the licensee’s business or operations. Note that the plan must address events that do not necessarily compromise sensitive or confidential information. The incident response plan must include:
- the internal process for responding to a cybersecurity event;
- the goals of the incident response plan;
- clear roles, responsibilities, and levels of decision-making authority;
- external and internal communications and information sharing;
- remediation of any identified weaknesses in information systems;
- documentation and reporting regarding cybersecurity events; and
- the evaluation and revision as necessary of the incident response plan following a cybersecurity event.
Obligations of a Licensee’s Board of Directors
If a licensee has a board of directors, the board must obligate the licensee’s executive management (or its delegates) to: (1) develop, implement, and maintain an ISP; and (2) report to the board in writing at least annually on the overall status of the ISP, the licensee’s compliance with the Act, and material matters related to the ISP (including risk assessment, third-party service provider arrangements, and cybersecurity events or violations and management responses, and recommendations for changes). If management delegates any of its responsibilities, it must continue to exercise oversight of the licensee’s ISP and require a report from its delegate(s) that complies with the Act’s requirements.
Licensee’s Obligations Regarding Third-Party Service Providers
The Act requires licensees to not only demonstrate due diligence in selecting third-party service providers but also exercise oversight over the third-party service providers’ security measures. Specifically, a licensee must obligate a third-party service provider “to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information” that the third-party service provider can access or holds on behalf of the licensee. While licensees have until July 1, 2019 to implement a compliant ISP, they have until July 1, 2020 to comply with requirements relating to third-party service providers.
An ISP Must Reflect Changes in Technology and the Licensee’s Business Model
The Act requires a licensee to adjust its ISP to reflect any “relevant changes” in technology, the sensitivity of a licensee’s nonpublic information, internal or external threats to information, and its own changing business arrangements and changes to information systems. That is, the ISP must be designed for the licensee and should not be boilerplate.
Licensees Domiciled in South Carolina Must File an Annual Statement of Compliance
Every licensee domiciled in South Carolina must submit a written statement by February 15 of each year to the Director of South Carolina’s Department of Insurance certifying compliance with the requirements under Section 38-99-20 of the Act relating to the implementation of an ISP. Furthermore, the licensee must maintain all materials and data supporting such certification for five years. The licensee must also document any identification of areas requiring material improvement or updating, and remedial efforts in relation thereto.
THE ACT IMPOSES ADDITIONAL INVESTIGATION AND NOTIFICATION OBLIGATIONS IN THE CASE OF A CYBERSECURITY EVENT
The Act also imposes additional investigation and notification obligations where a licensee has learned that a cybersecurity event has, or may have, occurred.
A “cybersecurity event” is defined as any event “resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system.”
Excluded from this definition is: (1) the unauthorized acquisition of encrypted nonpublic information unless the encryption, protective process, or key is also acquired, released, or used without authorization; or (2) an event where the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
Licensee’s Investigation Obligations
Where a licensee learns that a cybersecurity event has, or may have, occurred, the licensee, an outside vendor, or a designated service provider must conduct a prompt investigation of the event, which must include:
- a determination whether a cybersecurity event has occurred;
- an assessment of the event’s nature and scope;
- the identification of nonpublic information that may have been affected; and
- the performance or oversight of reasonable measures to restore the security of compromised information systems in order to prevent further unauthorized access to, or use of, nonpublic information.
Where a licensee learns of a cybersecurity event that has, or may have, occurred in a third-party service provider’s system, it must complete an investigation, or confirm in writing that the third-party service provider has done so in accordance with the Act’s requirements. Any records concerning a cybersecurity event must be maintained for at least five years from the date of the event.
Licensee’s Notification Obligations
A licensee must notify the Director of South Carolina’s Department of Insurance no later than 72 hours after determining that a cybersecurity event has occurred if:
- South Carolina is the licensee’s state of domicile in the case of an insurer, or home state in the case of a producer; or
- the licensee reasonably believes that the nonpublic information of 250 or more South Carolina residents may be affected, and the cybersecurity event either:
- requires the licensee to give notice to any governmental, self-regulatory, or supervisory body under state or federal law; or
- has a reasonable likelihood of materially harming a South Carolina resident or a material part of the licensee’s normal operations.
Notice must be provided in electronic form as directed by the Director and must include:
- the date of the cybersecurity event;
- how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers;
- how the cybersecurity event was discovered;
- whether any compromised information has been recovered and, if so, how;
- the source of the cybersecurity event;
- whether the licensee has filed a police report or has notified any regulatory, governmental or law enforcement agencies and, if so, when;
- the specific types of affected information;
- the period during which the information system was compromised;
- a best estimate of the number of total consumers in South Carolina affected by the cybersecurity event, to be updated with each subsequent report;
- the results of any internal review identifying a lapse in automated controls or internal procedures;
- a description of remedial efforts being undertaken;
- the name of a contact person.
Notably, a licensee must also comply with the notice requirements set forth in South Carolina’s data breach statute, South Carolina Code Section 39-1-90, as well as any other applicable law, and provide a copy of any notice sent to consumers concurrently with notice to the Director under the Act.
Where a cybersecurity event occurs in a system maintained by a third-party service provider, the licensee must provide notice as if it were a breach of its own system. The 72-hour deadline starts on the day after the third-party service provider notifies the licensee of the event; or the licensee acquires actual knowledge of the event, whichever is sooner. Nothing prevents a licensee from delegating any of its investigation or notification obligations to another licensee, a third-party service provider, or other entity.
ENFORCEMENT AND PENALTIES
The Director has the sole authority to examine and investigate licensees for any violations of the Act consistent with their authority for examining insurers under South Carolina Code of Laws Section 38-13-10, et seq. The Director may take necessary and appropriate action to enforce the Act where a licensee is engaged in violations in South Carolina. The Act specifically permits the assessment of administrative penalties under South Carolina Code Section 38-2-10 for any violations, which could subject a licensee of a fine up to $30,000 if willful and $15,000 if otherwise, or the suspension or revocation of authority to do business in the state, or both a fine and suspension or revocation of authority to do business in the state.
In addition to the exclusions to the definition of a “licensee” discussed above, the Act exempts from its ambit:
- a licensee with fewer than ten employees, including any independent contractors;
- an employee, agent, representative or designee of a licensee who is also a licensee to the extent that such person is covered by the information security program of the other licensee; and
- a licensee subject to the Health Insurance Portability and Accountability Act (“HIPAA”) that has established and maintains an ISP pursuant to the requirements thereunder, provided that the licensee is compliant with, and submits a written statement certifying its compliance with, the provisions of the Act;
The Act does not create any duty or liability for a provider of communication services for the transmission of voice, data, or other information over its network.
The Act delegates notification obligations under its provisions and South Carolina’s data breach statute to ceding insurers (to the extent they have direct contractual relationships with affected consumers) in the case of a cybersecurity event involving nonpublic information used by a licensee who is acting as an assuming insurer (or in the possession, custody, or control of a third-party service provider of such a licensee).
Additional obligations are imposed where affected consumers accessed the insurer’s services through an independent insurance producer, which should be reviewed by applicable entities.
Any individual or nongovernmental entity that is licensed, registered, or authorized to operate under the insurance laws of South Carolina (or required to be so) should review the provisions of the Act and the detailed obligations set forth therein with proper legal counsel to ensure compliance before the first deadline of July 1, 2019.