Type of Data Covered |
Deadline for Notification |
Government Notice |
Electronic and non-electronic in some cases. |
Most expedient time possible and without unreasonable delay. |
Yes – Notify the Director of the Department of Insurance. |
Subject Licensees |
Applies to “licensees,” defined as persons or businesses licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to South Carolina insurance laws. This does not include a purchasing group or a risk retention group licensed in another state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction. |
Security Standard |
Taking into consideration the size and complexity of the business, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used or in the licensee’s possession, custody, or control, licensees must conduct a risk assessment.
Based on the risk assessment, licensees must develop, implement, and maintain a written comprehensive information security program that contains administrative, technical, and physical safeguards designed to:
|
Types of Data Covered |
Electronic; Paper and other non-electronic data also covered when nonpublic information concerns medical or health information. |
Definitions |
“Consumer” means an individual including, but not limited to, an applicant, policyholder, insured, beneficiary, claimant, and certificate holder who is a resident of this State and whose nonpublic information is in a licensee's possession, custody, or control.
“Cybersecurity event” means an event resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system. It does not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process or key is not also acquired, released or used without authorization. It also does not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
“Nonpublic information” means electronic information not publicly available and:
|
Methods of Compliance |
Risk Assessment A licensee is required to conduct a risk assessment, and as part of this process, it must:
Information Security Program Based on its risk assessment, the licensee is required to:
Role of the Board of Directors & Executives If the licensee has a broad of directors, the board or a committee of the board must require the licensee's executive management or its delegates to:
If the executive management of a licensee delegates any of its responsibilities, it is responsible for overseeing the development, implementation, and maintenance of the licensee's information security program prepared by the delegates and ensuring that the report from the delegates complies with the requirements of the report to the board of directors
Incident Response Plan The incident response plan must include:
|
Government Notice |
A subject licensee must notify the Director of the Department of Insurance no later than seventy-two (72) hours after determining that a cybersecurity event has occurred if either of the following criteria are met:
If notification to the Director is required, it should be in electronic form and include as much of the following information as possible:
|
Enforcement |
The Director has the power and authority to examine and investigate into the affairs of a licensee to determine whether the licensee is engaged in conduct in violation of this Act. When The Director has reason to believe that a licensee is engaged in conduct in this State which violates the provisions of this chapter, the director may take necessary and appropriate action to enforce the provisions of this statute. |
Last updated: January 2024