Now is the time to audit the data security practices that your insurance company has in place to ensure that they meet the future requirements of the South Carolina Insurance Data Security Act. Starting July 1, 2019, this act will become enforceable against those entities required to be license to operate a business or sale insurance. Those businesses that partnered with third-party service providers whom have access to, process, or maintain their data will get an additional twelve months (July 1, 2020) to ensure their third-party affiliates meet the standards of the act.
Non-compliancy with the act may surface through a variety of ways such as an insurance entity failing to meet the requirement of annual reporting required by this act, an occurrence of a cybersecurity event that was not properly reported to the Department of Insurance, or during normal examination of a licensed party as required by state law.
Insurers found to be in violation of this act can face both civil and criminal penalties. Under administrative penalties for other than willful violations, insurers face a possible suspension or revocation of their authority to conduct business in this state and/or a fine up to $15,000. For willful violations administrative fines can increase to $30,000.
If the violator is a person other than the insurer, which is involved in a non-willful act, fines may not exceed $2,500 and/or suspension or revocation of the person's license. If it is a willful violation, the fine limit increases to $5,000.
Criminal penalties set forth by South Carolina law under the statutes as they pertain to insurance allow for a misdemeanor charge that carries the possibility of punishment of up to two years in jail and/or a fine up to $2,500.
None of the actions brought about by the South Carolina Department of Insurance indemnifies a person or entity from the potential violations of federal law or the many other civil remedies individuals would have against you if their information is breached.
So if you are reading this and thinking that there is plenty of time, don't underestimate the time needed to develop a well thought out, multi-layered information security program, incident response policy, and educate your employees about it. If you have multiple third-party service providers, you will need time to understand their administrative, technical, and physical security measures as it pertains to your data. It will take time to coordinate any needed changes to third-party practices to meet the requirements of this act. Some third-party service providers may not be open to sharing their methodology with you or changing it. If this is the case, finding a new third-party service provider or implementing an in-house solution will be lengthy.
Now is a good time to familiarize yourself with the requirements of the act or find a outside vendor that can do it for you.