In April of 2018, South Carolina became the first state in the nation to require insurance companies to establish data security standards to protect consumers from the consequences of cyber attacks. The legislation named the Insurance Data Security Act, also put requirements in place for how insurance companies must investigate cybersecurity attacks. South Carolina insurance carriers have until July of 2019 to fully implement the Insurance Data Security Act. The law officially went into effect on January 1, 2019.
State legislators drafted and passed this new law in response to a series of recent attacks in the insurance industry that exposed the private demographic and financial data of millions of Americans. The 2015 attack on the insurance giant Anthem appears to be the most significant catalyst for initiating and enforcing the new regulations.
What the Insurance Data Security Act Means for South Carolina Insurers
Under the provisions of the new security act, insurance companies, agents, and all other licensed entities that conduct business in South Carolina must establish a comprehensive security program and put it in writing by July 1, 2019. As quoted from state legislation, the new security program must “commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including the use of third-party service providers, and the sensitivity of the nonpublic information” within the control, possession, or use of the licensee.
Additionally, South Carolina insurers must base the company’s cybersecurity program on individual assessment of risk. Based on these results, the licensee must design an information security risk that reduces these risks as much as possible with the stated goal to completely eliminate the risks. It is the responsibility of each insurance licensee to determine appropriate measures related to the following:
- Access controls
- Cybersecurity event audit trails
- Data
- Device
- Encryption of nonpublic information at rest on removable data and mobile devices
- Encryption of nonpublic information in transit
- Multi-factor authentication
- Personnel inventories and mapping
- Physical access restrictions
- Routine system and testing monitoring
- Secure application development practices
- Secure disposal of all nonpublic information
- Systems upgrades
This is a significant undertaking for insurance companies and agents in South Carolina to achieve in the next six months. Many will find that they need to reach out to information technology specialists to help them come into compliance in the time required under state law.
Requirements for Insurance Company Director Boards
The Insurance Data Security Act not only imposes what insurers must do to implement a plan to safeguard consumer privacy, but it also dictates required actions for people with specific roles within the company as well. For example, the board of directors of each insurance company in South Carolina are personally responsible for supervising the development and implementation of the new cybersecurity program. Supervising duties of the board also include issuing a directive to senior management to produce an annual written report that contains the following information:
- A high-level overview of the cybersecurity program status and whether each agent or licensee appears to be in full compliance with the new program.
- All material matters to include individual cybersecurity events and the response to each, risk assessments, risk management decisions and controls, service provider arrangements with third parties, and results of all testing. Most importantly, senior management must recommend specific changes to the program in response to any ongoing issues they have observed that have posed a challenge to compliance.
It is crucial to the success of the new cybersecurity program that board members and senior officials with South Carolina insurance companies take their role seriously. This is the only way to ensure successful implementation of the program as well as address any early compliance concerns.
Specific Licensee Requirements under the Insurance Data Security Act
The act also spells out highly specific responsibilities for insurance licensees. For example, every licensee in the state should have produced a written document outlining a plan on how to respond to and recover from a cyber attack. This covers attacks that threaten the security of any nonpublic information that the licensee retains on his or her person or within the company’s computer information systems. These plans were due by January 1, 2019, and must contain all of the following information:
- The process of internal response to a cyber attack
- Specific goals for the prevention and response plan
- An outline of the specific responsibilities and roles of each person who has the authority to make cybersecurity decisions
- Internal and external communication and sharing of information
- Requirements for remediation
- Detailed documentation of any recent cyber attacks, including each step of the response
- Any revisions made to the plan since its original creation date or any anticipated future changes
The new law gives licensees until July 1, 2020, to create and implement a cybersecurity program with a third-party service provider. The expectation is for licensees to choose the provider using due diligence. It is the responsibility of licensees to ensure that the new service provider possesses the ability to offer administrative, physical, and technical support as required under the provisions of the cybersecurity act. This is necessary to ensure that third-party service providers protect computer systems as well as all nonpublic customer information.
Finally, the licensee must regularly monitor the work of the service provider to ensure compliance. Upon discovery of any issues, the licensee must initiate adjustments to the agreement between the two companies. The new law makes it incumbent upon every insurer in South Carolina to provide an annual compliance certification as well.
Protocol for the Investigation, Response, and Disclosure of Cybersecurity Attacks
Insurance companies, along with agents and licensees, now have only three business days after a discovery to investigate and report the events surrounding a cyber attack or event. The definition of a cyber event includes any action that resulted in an unauthorized person gaining access to nonpublic information. The purpose of the cyber attack is to disrupt computer systems to make it possible to obtain and misuse the information stored inside of them. The definition does not include any data that a cybercriminal destroyed or returned.
The Insurance Data Security Act includes a somewhat vague definition for what qualifies as nonpublic information. For example, protected data includes anything that usually receives protection under existing laws for data breach notification. However, it does not define the specific types of data.
Other information protected under this new act include any business data that demonstrates proof of unlawful tampering by an insurance licensee. This consists of any unauthorized disclosure of information, use, or access that demonstrates the licensee attempted to manipulate data for the benefit of the insurance business.
Once a licensee has determined that a legitimate cyber event occurred, it is up to him or her to initiate an immediate investigation. The investigation must include each of the following elements:
- Determining whether the incident meets the legal definition of cyber event
- Researching the facts regarding the event
- Determining whether a cybercriminal obtained any nonpublic data and identifying the customers impacted
- Promptly restoring any vulnerabilities that caused the breach of data
Both insurance licensees and third-party service providers must retain a record of all cyber events for a minimum of five years. They must also produce the record promptly when any authorized party requests to see it.
About disclosure of cyber events, a licensee must notify the Director of the Department of Insurance within 72 hours of resolving the issue. This requirement covers all insurance businesses licensed in South Carolina. Additionally, the act requires licensees to notify another government agencies or insurance supervisory boards if the data breach involved more than 250 state residents or a reasonable likelihood of widespread harm exists. The notification to the government agency or insurance supervisory board should include the following information at a minimum:
- The date and specific details of the cyber event
- The methods used to discover the issue
- The types of nonpublic data compromised
- Whether the licensee notified law enforcement, and if so, the data this occurred
- The intended steps of remediation
- A valid copy of the most recent privacy policy of the licensee
- The specific plan for investigation and notification of consumers
Other States Expect to Follow Suit
South Carolina has taken a significant step toward consumer protection by implementing this law as of January 1, 2019. Several other state legislatures are currently considering the same or a similar act, so it should come as no surprise to consumers and those in the insurance industry to see widespread adoption in the future. Even industries outside of insurance may look to the act to determine its usefulness when adapted to that specific industry.