On July 26, 2018, I attended the seminar about the South Carolina Insurance Data Security Act (IDSA) in Columbia, SC at the Capital Center Conference Room. The event was hosted by the South Carolina Insurance Association and the National Association of Mutual Insurance Companies (NAMIC).
Russ Dubisky, executive director of the SC Insurance Association welcomed everyone for coming and then made a few opening remarks about the seminar. Dubisky introduced the Director of the SC Department of Insurance (DOI) Raymond G. Farmer.
Director Farmer gave a legislative overview of the process that it took to get the IDSA passed as a law. Director Farmer explained that the DOI would be having a webinar in September to better inform the insurance community about the IDSA. Director Farmer advised that he also had representatives from DOI present to answer questions firsthand for the attendees at the end of the seminar.
Alex Hageli, Director of Policy, Research, International for the Property Casualty Insurers Association of America (PCI) spoke briefly about how the South Carolina law would impact data security standards nationally. Hageli explained some of the differences between the New York Data Security Act and the Insurance Data Security Act. Lobbying efforts attempted to get the South Carolina legislature to adopt more of the language included in the New York Data Security Act but failed in the end.
The New York Data Security Act, also known as the SHIELD Act, does not solely focus on the insurance industry but applies to data security for all businesses handling sensitive customer information. In meetings with members of the South Carolina legislature, it became clear that they would not follow the concise language of the New York act.
The Director of Compliance for NAMIC, Geoff Baker, was the next speaker. Baker focused on the language and intent of the Insurance Data Security Act (IDSA). It was clear from Baker’s presentation that numerous areas of the IDSA will require clarification and guidance from the DOI.
Baker stated that compliance with the Insurance Data Security Act (IDSA) will be a continual process for insurance companies to maintain. Insurance companies with 10 or more employees in the State of South Carolina are not exempt. Independent producers and contractors with 10 or more employees must also comply with the requirements of the IDSA.
NPI Definition and Concerns
Under the Insurance Data Security Act (IDSA), the definition of non-public information (NPI) has a broader meaning than what you would generally think of with personal, financial or HIPAA information. NPI additionally includes any business information that if it were disclosed or tampered with “would cause a material adverse impact to the business, operations, or security” of the company.
Why is this definition important? Because if NPI is breached, then it is a reportable cyber security event that would require notification to the DOI. Should a breach only obtain encrypted data without the encryption key to access the NPI information, this would not be considered a reportable cyber security event. Additionally, if the only data taken is non-NPI, then the security event would not need to be reported.
For foreign insurers the notification requirement is triggered if the reportable cyber security event affects the NPI of more than 250 consumers in South Carolina and the event requires the insurer to notify another governmental/regulatory agency (other than SC). Alternatively notification is required if there is reasonable likelihood of material harm to a SC consumer or insurer’s operation with more than 250 SC consumers affected.
Third-Party Service Providers
There was a lot of discussion about third-party service providers (TPSP) and how to ensure that they are compliant with the requires of the Insurance Data Security Act (IDSA). The IDSA states only that the licensee uses due diligence to confirm compliance. Can the TPSP just sign a contractual guarantee of their compliance with the IDSA or does the licensee have to do more? Will licensees have to audit TPSP or terminate contracts or appointments with agencies that are non-compliant? This is an area where the Department of Insurance (DOI) will need to provide further guidance.
Information Security Program
The Insurance Data Security Act (IDSA) clearly requires a written Information Security Program (ISP). You can find specific guidance on drafting the ISP by reviewing the language in the IDSA statute 38-99-20 (D) (2). Your ISP should be driven from the information uncovered during the risk assessment, not done independently. Other issues such as who drafts the ISP or approves the final draft is a little less apparent in the language of the IDSA.
During a Risk Assessment, you should be reviewing network infrastructure cyber security monitoring and controls, current cyber security policies and procedures, non-public information (NPI) governance and retention schedules, software development practices, existing cyber security training, NPI access methodologies, use of NPI, and the utilization of TPSPs. The Risk Assessment will be an important step in the process and should involve a team approach utilizing insight from the CISO, compliance lead, department heads, key user representatives, and cyber security experts.
Additionally, licensee’s need to have a written incident response plan defining a plan to handle cyber-attacks on NPI or the licensee’s information system. This response plan should also include guidance for business operations during disaster recovery.
The Insurance Data Security Act (IDSA) requires oversight of the process by the board of directors (or committee) to develop, implement, and maintain the ISP. An annual written report must be sent to the board defining the results of the Risk Assessment, risk management, TPSPs, testing results, cyber security events and responses, and recommendations for changes.
Where you can find more Information
As you can see the seminar covered a lot of important information and the hosting associations have been working hard to find answers for their members. Geoff Baker from NAMIC was kind enough to send me his slide presentation so that others could review the information in its entirety.
I will cover some of the questions answered by DOI representatives in another blog along with steps to sign up for information on their site. I encourage you to sign up on the DOI’s website to be forwarded bulletins and information about the IDSA. The DOI will be pushing out further guidance and hosting webinars on this topic soon.
Please pass this information along to other people you know in the insurance business. There are still smaller agencies who are unaware of the requirements of this law. Also tap into the resources provided by the NAMIC and the South Carolina Insurance Association. I have provided the links for you.
Co-Founder + Forensic Expert