South Carolina Insurance Data Security Act

Although more restricted in scope of coverage, South Carolina follows in the footsteps of New York in imposing security standards on a segment of the financial services industry. Under the Insurance Data Security Act, South Carolina imposes security requirements on those “licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws” of South Carolina.  Licensees are required to develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system. The required written information security program must be designed to:

• protect the security and confidentiality of nonpublic information and the security of the information system
• protect against threats or hazards to the security or integrity of nonpublic information and the information system
• protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to a consumer, and
• define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.

In each instance where commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee’s possession, custody, or control.

Act has a delayed effective date. Licensees have until July 1, 2019, to implement Section 38 99 20 of the act and until July 1, 2020, to implement Section 38 99 20(F) of the act.   The act is available at https://www.scstatehouse.gov/sess122_2017-2018/bills/4655.htm