The SC Insurance Data Security Act: Ask Some Questions to Evaluate Your Security Program
The South Carolina Insurance Data Security Act (“Act”), fashioned after the NAIC Insurance Data Security Model Law (Model Law), went into effect on January 1, 2019. South Carolina was the first state in the nation to pass this legislation, and others (Ohio, Mississippi), have followed suit. The Act requires that each South Carolina person licensed or authorized by the South Carolina Department of Insurance (DOI) a “Licensee” must implement, no later than July 1, 2019, a “comprehensive written information security program” (“Program”) designed to protect nonpublic information (NPI) and the security of the Licensee’s information system. In addition, the Act requires a Licensee to report to the Director of the DOI within 72 hours following an actual or potential “cybersecurity event.” S.C. Code Section 38-99-40(A) (Section 6(A) of the Model Act). While South Carolina Licensees (hopefully) are well down the path to meeting the Act’s requirements, the...