The SC Insurance Data Security Act requires insurance providers to develop and maintain a comprehensive information security program that mirrors the size and complexity of their business model and includes third-party service providers.
This act refers to any business-related information controlled by the insurance providers that would have a material adverse impact if it was disclosed, tampered with or accessed. In addition, the act includes personal customer information such as social security numbers, driver's license number, banking and credit card information, personal health information and security codes or passwords.
Insurance providers are required to designate staff or an outside vendor to be responsible for the program. The designated entity should be qualified at identifying foreseeable internal and external threats that may result in unauthorized access, misuse, or destruction of business records or client information. In conjunction with those duties, the designated entity will ensure that adequate policies and procedures are in place to cover employee training, address data retention & deposal, cover threat detection, threat prevention, and threat response.
Policies & Plans
Written policies should outline competent practices addressing cyber security issues relating to the computer network, software, information classification system, and all pertinent data. Additionally, policies should address security measures to restrict access to nonpublic information, provide duel factor authentication, encrypt data, establish network monitoring, and data backups. Plans should require reoccurring security assessments that probe the organization for any shortfalls and build on the successes of their security plan.
A detailed incident response plan must show how the company will react to a cybersecurity event. This detailed plan should address the goals of the incident response plan, assign clear roles and responsibilities of responding parties, establish decision-making authority, outline internal and external communications & information sharing, address the proper documentation and reporting for any incident, identify weaknesses, enact remediation, and evaluate the effectiveness of the incident response plan.
Annually, the insurance provider must submit a report to the Director for the Department of Insurance by the fifteenth of February certifying their compliance with the requirements of this act. All records should be maintained for five years. These records may be subject to review by the director or her/her designee.
Insurance providers have until July 1, 2019 to met their specific requirements. All of their third-party service providers must meet requirements of this act by July 1, 2020 when it becomes fully enforced.