South Carolina requires insurers to have plans safeguarding customer data
Billion Photos / Shutterstock.com
Less than a year from now, insurers doing business in South Carolina will be required to have a “comprehensive information security program” that protects consumer data.
As of Jan. 1, 2019, insurers licensed in the state will be required to create and maintain data security standards based on an ongoing risk assessment, oversee third-party service providers, investigate breaches and notify regulators within 72 hours of a cyber event that affects more than 250 state residents.
“It provides some consumer protection to further help safeguard that extremely important and private information,” said South Carolina Department of Insurance director Ray Farmer after the passage of the Insurance Data Security Act in May, according to the South Carolina Radio Network. “It requires insurance companies to beef up their data security.”
In his remarks, Farmer said that more than 120 million Americans have had their health insurance information compromised, which was a motivation for passing the law.
The number is likely higher, according to the HIPAA Journal, which tracks healthcare data breaches. Between 2009 and 2017, they tracked 2,181 breaches involving more than 500 records. In total, that is over 175 million healthcare records affecting more than 176 million Americans.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
While Farmer said this law is the first of its kind among the states, Damian Caracciolo, vice president of the executive protection practice at Cbiz Inc., a financial services company, says that “it’s certainly important to put those things into words—that you have to be compliant—but most insurance carriers and most financial institutions are already compliant with those laws.”
“I don’t think it will have a significant impact on the major carriers. It may impact some smaller regionals that are ramping up their efforts,” he says. “I think it would be more critical if they required every carrier to have [insurance] coverage,” which he says the major carriers already do.
The new law explicitly does not create a private cause of action against companies found to be in violation of its provisions.
The law was based on model legislation created by the National Association of Insurance Commissioners, a standards setting body. The committee that drafted the legislation was chaired by Farmer.
Maria Sasinoski, an associate at the Pittsburgh office of McGuireWoods LLP, told Bloomberg BNA that insurers like the NAIC model because it will “ward off” a patchwork of different state-level laws. She said that Rhode Island is also considering a version of the legislation.
In South Carolina, the law, including its notification requirement, goes into effect Jan. 1, 2019, and insurers will be required to provide written security plans to state regulators starting July 1, 2019.