South Carolina’s New Insurance Data Security Act: Pebbles Before a Landslide?
The ramp-up of cybersecurity regulation, albeit in a patchwork fashion through state-level legislation, has begun. On May 18, 2018, South Carolina enacted the Insurance Data Security Act (Act), becoming the first state to pass legislation based upon the Insurance Data Security Model Law that was approved by the National Association of Insurance Commissioners (NAIC) last October. The Act makes very little change to the model law’s text, which in turn, is based on 23 NYCRR § 500, et seq., the cybersecurity regulations promulgated by the New York State Department of Financial Services in March 2017. The Act establishes stringent standards for both data security programs, and an entity’s response to a “cybersecurity event” through an organized and methodical investigation and notification to the state’s Department of Insurance. Like New York’s cybersecurity regulations, the Act requires insurers to submit to the Department of Insurance annual certification of compliance and has a ratcheted implementation of portions of the legislation on insurers and brokers operating or otherwise licensed to do business in the state. It does not create a private cause of action.
Although many of the Act’s requirements follow the example set by the New York cybersecurity regulations, there are some material differences, too. With pending legislation in Rhode Island (Bill 2018–H 7789) and similar legislation passed by Vermont (4:4 Vt. Code R. § 8:8-4) and Nevada (Assembly Bill 471) regulating the financial services industry, 2018 could be seen as a watershed moment for significant change in cybersecurity regulation across the nation. Some of the more significant requirements implemented by the Act, and how they differ from New York’s cybersecurity regulations, which remain a standard of comparison, are as follows.
The Requirement to Investigate and Report a Cybersecurity Event
Effective January 1, 2019, those insurers and brokers covered by the Act (i.e., “licensees”) must investigate an actual or suspected cybersecurity event. The Act states that if a licensee “learns that a cybersecurity event has occurred or may have occurred,” the licensee (or its designee in the case of a third-party provider) “must conduct a prompt investigation of the event,” and at a minimum:
- determine whether a cybersecurity event occurred;
- assess the nature and scope of the cybersecurity event;
- identify any nonpublic information that may have been compromised; and
- undertake “reasonable measures to restore the security of the information systems compromised” in order to prevent “further unauthorized acquisition, release, or use of nonpublic information in the licensee’s possession, custody, or control.”
If the licensee learns that a cybersecurity event took place or may have taken place in a system maintained by a third-party service provider, the licensee still must complete an investigation or confirm and document that the third-party service provider conducted and completed an investigation pursuant to the Act’s requirements. In other words, a licensee may not deflect its legal responsibility through contracts; it is still required to ensure that a suspected cybersecurity event is investigated even if the event does not involve its systems.
Under the Act, a “cybersecurity event” means the same as under the NAIC model law, which is narrower than the New York regulations. The Act defines a cybersecurity event as “an event resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system.” Unlike the New York cybersecurity regulations, cybersecurity event does not include unsuccessful cyberattacks and has an encryption safe harbor built into the term’s definition. The definition of cybersecurity event also contemplates a good faith mistake safe harbor, as the definition expressly excludes “an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.” However, similar to the New York cybersecurity regulations, “nonpublic information” is broadly defined to include business information, the tampering or unauthorized disclosure or use of which would cause the entity “material adverse impact” to its business, operations, or security; consumer personal information, as defined by enumerated data elements; or protected health information (PHI). The definition is much broader than the meaning of “personal information” typically found in state data breach notification laws, which define the term to mean a consumer’s name in combination with a narrow set of data elements.
Like the New York cybersecurity regulations, the Act also has a stringent 72-hour notification requirement. If a licensee determines that a cybersecurity event took place, the licensee must notify the Department of Insurance no later than 72-hours after such determination if the following criteria also are satisfied:
- the licensee is domiciled in the state; or
- the licensee “reasonably believes” that the event involved the nonpublic information of at least 250 South Carolina residents, and:
(i) the licensee is required to provide notice of the event to any governmental body, self-regulatory agency, or any other supervisory body pursuant to state or federal law; or
(ii) the event has a “reasonable likelihood of materially harming" a state resident or a “material part” of the licensee’s normal operations.
The effect of this requirement is that an entity’s response to a cybersecurity event must be rapid and organized. One purpose of this tight deadline is to force entities to create programs that allow them to detect and contain cybersecurity events as quickly as possible.
The Requirement of Executive Management to Implement a Comprehensive Cybersecurity Program Based upon a Risk Assessment
Effective July 1, 2019, “[c]ommensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee’s possession, custody, or control,” all insurers and brokers covered by the Act must “develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment and that contains administrative, technical and physical safeguards for the protection of nonpublic information and the licensee’s information system.” Make no mistake, these requirements are substantial, but there is flexibility that is absent from the New York cybersecurity regulations. The Act recognizes that one-size does not fit all. This approach is much more akin to data security requirements under the Health Insurance Portability and Accountability Act, which also grants covered entities and business associates “the flexibility to choose security measures appropriate for their size, resources and the nature of the security risks they face, enabling them to reasonably implement any given Security Rule standard.” 45 CFR § 164.
Despite this flexibility, the Act’s requirements for a licensee’s cybersecurity program are substantial. The Act requires that an insurer’s or broker’s cybersecurity program must be both written and “comprehensive,” meaning pro forma attempts to implement a security program are insufficient and will not satisfy an audit. In addition, each insurer or broker must have an individual, typically a chief information security officer or third-party service provider, designated to oversee the program. The Act makes no qualms about the significant work an entity may need to undertake in order to comply with its provisions. The Act states that licensees must design cybersecurity programs to mitigate identified risks, create appropriate access controls on its information systems and include policies and procedures addressing areas of data security, including data governance procedures and audit trails, physical security and use tools like encryption to protect nonpublic information while in transmission or stored on mobile devices or media. Each licensee also must establish a broad written incident response plan “to respond to, and recover from” a cybersecurity event that compromises the confidentiality, integrity, or availability of its nonpublic information, its information systems, or its business operations.
An entity’s cybersecurity program also must be a living and breathing program. The Act requires licensees to “monitor, evaluate and adjust” their cybersecurity programs to reflect changes in technology, internal or external threats, or the sensitivity of their nonpublic information. The Act also requires that the program include “regular testing and monitoring” to “detect actual and attempted attacks on, or intrusions into, information systems.” Insurers and brokers also must train their workforce, and have a written incident response plan designed “to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity or availability of nonpublic information in its possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s business or operations.”
Further, the entity’s cybersecurity program is not a requirement that may be pushed down to mid or lower-level management. The Act requires executive involvement and buy-in. Specifically, the Act states that the board of directors must require executive management to develop, implement and maintain the licensee’s information security program and to provide an annual “report in writing” on the status of the cybersecurity program, material matters relating to the program, recommended changes to the program and the licensee’s compliance with the Act. If the executive management delegates its responsibilities, it still must “oversee the development, implementation and maintenance of the licensee’s information security program prepared by the delegates and receive a report from the delegates which must comply with the requirements of the report to the board of directors.”
The Requirement to Conduct “Due Diligence” on Third-Party Service Providers
Effective July 1, 2020, all insurance carriers and brokers authorized to conduct business in South Carolina must exercise “due diligence” in selecting its third-party service providers and require any third-party service provider to “implement appropriate administrative, technical and physical measures” to protect and secure the licensee’s information systems and nonpublic information accessible to the third-party service provider. This includes everyone who has access to the licensee’s information systems and nonpublic information, from third-party claims administrators and photocopy service providers, to a licensee’s accounting firm or law firm.
The Requirement to Certify Compliance with the Act
Finally, the Act requires that each insurer domiciled in South Carolina submit to the Department of Insurance “a written statement” certifying that “the insurer is in compliance with the requirements set forth in this section” on February 15 of each year. The Act’s reference to an “insurer,” and not a “licensee,” appears to exempt brokers and other entities covered by the Act from this certification requirement. The exact form of the certification also is unclear, and likely will be addressed by regulations promulgated by the South Carolina Department of Insurance. The Act further provides that each insurer maintain for inspection by the department all records supporting its certification, as well as any documentation identifying areas that require material improvement or updates to its compliance, for five years
Although the Act shares the same February 15 certification date as the New York cybersecurity regulations, the restriction of the Act’s certification requirement on insurers domiciled in the state only makes the requirement much narrower. The New York regulations have a much broader reach, requiring covered entities – not just insurers – who merely conduct business in New York to certify.
The Act has some exemptions; albeit, these exemptions raise some questions. Like the New York regulations, the Act exempts from compliance licensees with fewer than ten employees. However, unlike the regulations, which also exempts entities that have less than $5,000,000 in gross annual revenue in each of the last three fiscal years, or less than $10,000,000 in year-end total assets, the Act does not have financial thresholds to provide an entity with exempted status. Thus, if a licensee has more than ten employees, it is not exempted despite a lack of significant income or assets. The Act also allows licensees to claim exempt status so long as they fall within another licensee’s cybersecurity program. Specifically, the Act exempts “an employee, agent, representative or designee of a licensee, who is also a licensee,” thereby relieving the need to develop its own information security program “to the extent that the employee, agent, representative or designee is covered by the information security program of the other licensee.”
Finally, the Act also exempts a licensee subject to HIPAA that has “established and maintains an information security program pursuant to such statutes, rules, regulations, procedures or guidelines established thereunder”; provided however, that the licensee “is compliant with, and submits a written statement certifying its compliance with, the provisions of this chapter.” So, a licensee subject to HIPAA is exempt under the Act so long as it has established and maintains a cybersecurity program that complies with the Act’s requirements, and that the licensee also certifies that it is compliant with the Act. This apparent inconsistency likely will be addressed by the South Carolina Department of Insurance through regulations or a FAQs.
If you have questions or would like more information, please contact Joshua Mooney (firstname.lastname@example.org; 215.864.6345), Richard Borden (email@example.com; 212.631.4439) or Sedgwick Jeanite (firstname.lastname@example.org; 212.631.4413).