Now is the time to audit the data security practices that your insurance company has in place to ensure that they meet the future requirements of the South Carolina Insurance Data Security Act. Starting July 1, 2019, this act will become enforceable against those entities required to be license to operate a business or sale insurance. Those businesses that partnered with third-party service providers whom have access to, process, or maintain their data will get an additional twelve months (July 1, 2020) to ensure their third-party affiliates meet the standards of the act.
Non-compliancy with the act may surface through a variety of ways such as an insurance entity failing to meet the requirement of annual reporting required by this act, an occurrence of a cybersecurity event that was not properly reported to the Department of Insurance, or during normal examination of a licensed party as required by state law.
Insurers found to be in violation of this act can face both civil and criminal penalties. Under administrative penalties for other than willful violations, insurers face a possible suspension or revocation of their authority to conduct business in this state and/or a fine up to $15,000. For willful violations administrative fines can increase to $30,000.
If the violator is a person other than the insurer, which is involved in a non-willful act, fines may not exceed $2,500 and/or suspension or revocation of the person's license. If it is a willful violation, the fine limit increases to $5,000.
Criminal penalties set forth by South Carolina law under the statutes as they pertain to insurance allow for a misdemeanor charge that carries the possibility of punishment of up to two years in jail and/or a fine up to $2,500.
None of the actions brought about by the South Carolina Department of Insurance indemnifies a person or entity from the potential violations of federal law or the many other civil remedies individuals would have against you if their information is breached.
So if you are reading this and thinking that there is plenty of time, don't underestimate the time needed to develop a well thought out, multi-layered information security program, incident response policy, and educate your employees about it. If you have multiple third-party service providers, you will need time to understand their administrative, technical, and physical security measures as it pertains to your data. It will take time to coordinate any needed changes to third-party practices to meet the requirements of this act. Some third-party service providers may not be open to sharing their methodology with you or changing it. If this is the case, finding a new third-party service provider or implementing an in-house solution will be lengthy.
Now is a good time to familiarize yourself with the requirements of the act or find a outside vendor that can do it for you.
Privacy is a big topic these days, especially when technology like the internet has made life easier for doctors and patients by streamlining medical care experiences. The problem with making areas of our lives more connected is that there are more ways that sensitive information can get out, creating a big privacy concern for patients who want to keep their private information private. HIPAA regulations were created to make sure that your sensitive data is protected. This blog is a look at how these laws have changed since the creation of the act in 1996. [i]
The SC Insurance Data Security Act requires insurance providers to develop and maintain a comprehensive information security program that mirrors the size and complexity of their business model and includes third-party service providers.
This act refers to any business-related information controlled by the insurance providers that would have a material adverse impact if it was disclosed, tampered with or accessed. In addition, the act includes personal customer information such as social security numbers, driver's license number, banking and credit card information, personal health information and security codes or passwords.
Insurance providers are required to designate staff or an outside vendor to be responsible for the program. The designated entity should be qualified at identifying foreseeable internal and external threats that may result in unauthorized access, misuse, or destruction of business records or client information. In conjunction with those duties, the designated entity will ensure that adequate policies and procedures are in place to cover employee training, address data retention & deposal, cover threat detection, threat prevention, and threat response.
Policies & Plans
Written policies should outline competent practices addressing cyber security issues relating to the computer network, software, information classification system, and all pertinent data. Additionally, policies should address security measures to restrict access to nonpublic information, provide duel factor authentication, encrypt data, establish network monitoring, and data backups. Plans should require reoccurring security assessments that probe the organization for any shortfalls and build on the successes of their security plan.
A detailed incident response plan must show how the company will react to a cybersecurity event. This detailed plan should address the goals of the incident response plan, assign clear roles and responsibilities of responding parties, establish decision-making authority, outline internal and external communications & information sharing, address the proper documentation and reporting for any incident, identify weaknesses, enact remediation, and evaluate the effectiveness of the incident response plan.
Annually, the insurance provider must submit a report to the Director for the Department of Insurance by the fifteenth of February certifying their compliance with the requirements of this act. All records should be maintained for five years. These records may be subject to review by the director or her/her designee.
Insurance providers have until July 1, 2019 to met their specific requirements. All of their third-party service providers must meet requirements of this act by July 1, 2020 when it becomes fully enforced.
On May 3, 2018, Governor Henry McMaster signed into law the SC Insurance Data Security Act. The SC Insurance Data Security Act pertains to insurance businesses that are licensed or required to be licensed through the Department of Insurance. In addition, a business must employ 10 or more employees, agents, representatives or independent contractors to fall under the requirements of this act.
On the plus side, agents or independent contractors working under a business that meets the size requirement above, are not required to create their own information security program. But that only applies if they are covered by the program of a parent company or business. Furthermore, licensed insurance groups that meet the higher standards of the Health Insurance Portability and Accountability Act are considered to meet the standards of the SC Insurance Data Security Act. These entities are not required to have a separate program and only need to file a written statement certifying their compliance.
With all that being said, this act only pertains to licensee's whom are domiciled in the State of South Carolina.
If you need further clarification to see if you or your business will be impacted by this act, please call the South Carolina Department of Insurance at (803) 737-6160.
Talking with people in the medical community and adjacent industries, I often hear the question, are we covered by HIPAA? Technically what they are asking is are they a covered entity (CE). The U.S. Department of Health and Human Services (HHS) has seemingly made this clear with the following statement:
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.