South Carolina now has specific breach and security requirements for insurance companies. The law applies to those licensed under the state’s insurance laws and went into effect January 1. Under the law, companies must tell the insurance regulator within 72 hours of determining that a breach occurred. Other breach requirements include conducting investigations and keeping records of incidents for at least five years. This new notice requirement does not exempt companies from South Carolina’s general breach notice law, which requires notice to impacted individuals.

The law also includes several security requirements, which will become effective July 1. Among those are having a written information security program, understanding potential risks, and taking steps to manage the risks. The law also requires entities to take care when choosing vendors or other third parties. Companies must certify compliance with the law annually, beginning in February 2020.

Putting it Into Practice: Insurance companies with general breach notice plans should keep in mind the need to notify the insurance regulator in South Carolina, as well as the upcoming security requirements. Among these is not only a written information security program, but also taking care when working with third parties.