In another change to US state breach notice laws in 2019, South Carolina will have new breach notice requirements for insurance companies. The requirements follow the National Association of Insurance Commissioners’ Insurance Data Security Model Law. South Carolina was the first to adopt the model text into law, and it is this law that is going into effect on January 1, 2019.  South Carolina joins others states, including Connecticut and New York, to have breach notice requirements for insurance companies. The law will be a supplement to the requirements that financial companies, including insurance companies, already face under Gramm-Leach-Bliley Act. 

Companies must promptly investigate potential breaches under this new law. If a breach has occurred, they will often also have to notify the Director of Insurance within 72 hours. This notification must happen either if the company is regulated by the director or if the information of 250 South Carolina residents is affected.  The same obligations apply when a vendor is impacted.

The law also speaks to steps that must happen before a breach occurs. Not only do insurance companies need to have an incident response plan, they must also have a comprehensive information security program in place by July 1st, 2019.  The program must include risk assessments and be appropriate both to the company’s size and to the scope of its data assets. Companies will also be required to vet third party vendors and make sure they have appropriate cybersecurity controls.  Additionally, the law requires that senior leadership, including the Board, be involved in this program.

Putting it Into Practice: Insurance companies should keep this new law in mind, in particular the n notification requirement for when 250 or more residents have been impacted. Also noteworthy are the pre-breach steps, including an incident response plan and information security program. This is the second in our series of upcoming breach notice obligations going into effect January 1, 2019. Click here for the first article.