South Carolina recently enacted a prescriptive data security law for insurers. The law bears resemblance to the New York Department of Financial Services (NYDFS) cybersecurity rules that entered into force last year. In short, the South Carolina law requires licensees (defined below) to develop and implement a comprehensive written information security program (a “WISP”) and to notify the South Carolina Department of Insurance of certain cybersecurity events. Effective on January 1, 2019, the law includes extended deadlines for compliance with the requirement to implement a WISP (July 1, 2019) and for components of the WISP related to third-party service providers (July 1, 2020).
Key Terms and Definition
The law applies to licensees, generally defined as any person (including individuals, corporations and others) licensed pursuant to South Carolina insurance laws. There are limited exemptions for entities with fewer than ten employees and for employees, agents, representatives, designees of licensees who also qualify as licensees (to the extent covered by the other licensee). There is also an exemption for licensees subject to HIPAA that have established and maintain an information security program pursuant to HIPAA and associated rules (though such entities are still required to submit a written statement certifying compliance with the South Carolina law).
At its core, the law requires licensees to implement a WISP that meets specified requirements. The WISP must be designed to protect nonpublic information and information systems and must be based on a risk assessment.
In summary, “nonpublic information” is information that is not publicly available and is either (1) business-related information the tampering with which, or unauthorized disclosure, access, or use of which would cause a material adverse impact; (2) information concerning a consumer which is identifiable in combination with specified data elements (e.g., SSN, driver’s license number); or (3) any information created or derived from a healthcare provider or a consumer and that relates to an individual’s health or condition, the provision of healthcare to an individual, or payment for the provision of healthcare to an individual.
An “information system” is “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial or process controls systems, telephone switching and private branch exchange systems, and environmental control systems.”
Administrative Requirements for WISP
Licensees must designate someone as responsible for the information security program. As part of the information security program, licensees must identify and assess the likelihood and potential damage of reasonable foreseeable threats to nonpublic information. The law also requires licensees to “assess the sufficiency” of policies, procedures, information systems, and other safeguards to manage such threats, including those in the area of employee training, information systems, and detection, prevention, and response of intrusions.
Required Security Measures
Based on the risk assessment, the law requires that licensees design the WISP to mitigate identified risks commensurate with the sensitivity of nonpublic information they use or possess. Licensees also must “monitor, evaluate and adjust” the WISP to account for changes in technology, the sensitivity of nonpublic information, the threat landscape, or business arrangements.
The law specifically calls for licensees to “determine the appropriateness of and implement” several listed security measures. These measures vary in particularity. For example, one security measure is the placement of access controls on information systems. A contrasting and more prescriptive example is the protection by encryption or other appropriate means of all nonpublic information transmitted over an external network or stored on a portable device or media.
More generally, the security measures fall into four categories:
- Access controls
- For information systems generally;
- Physical access controls; and
- Effective controls, including multi-factor authentication, for individuals accessing nonpublic information.
- Identification and management of “the data, personnel, devices, systems, and facilities” that enable the company to “achieve business purposes”, and
- Audit trails designed to detect and respond to cybersecurity events and reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee.
- Protections for nonpublic information
- Encryption or other appropriate means of protection for all nonpublic information transmitted over an external network and all nonpublic information stored on a portable device or media;
- Protections against loss (etc.) of nonpublic information due to environmental hazards or technological failures; and
- Procedures for secure disposal of nonpublic information.
- Secure development practices for in-house applications and procedures for testing of externally developed applications;
- Modification of information system in accordance with the licensee’s WISP; and
- Regular testing and monitoring of systems and procedures to detect attacks on information systems.
If licensees have a board of directors, the board or an appropriate committee of the board must require executive management to develop, implement, and maintain the WISP and require executive management to report on the overall status of the WISP and material matters related to WISP at least annually. If executive management delegates any of its responsibilities with respect to the WISP, executive management must oversee the execution of those responsibilities and receive a report from the delegates that complies with the requirements for the previously mentioned report to the board of directors.
Third-party service providers
The law obligates licensees to exercise “due diligence” (not defined or described) in selecting service providers, and to require service providers to implement appropriate security measures to protect and secure information systems and nonpublic information accessible to or held by the service provider. These requirements must be implemented by an extended deadline of July 1, 2020.
Incident response plan
The WISP must include a written incident response plan that addresses the process for responding to a cybersecurity event. The plan must address several areas: the process for response; the goals of the plan; definition of roles; responsibilities, and decision-making authority; communications and information sharing; identification of requirements for remediation; documentation and reporting; and evaluation and revision.
Insurers domiciled in South Carolina must annually certify to the director of the South Carolina Department of Insurance that they are in compliance with the law’s WISP requirements, and must maintain for examination records supporting the certification for a period of five years. Unlike the certification required by the NYDFS cybersecurity rules, the SC law does not contain a prescribed form of certification. However, the South Carolina Department of Insurance has indicated that it will issue a series of bulletins regarding implementation of the law and additional details may be forthcoming. If there are areas in need of material improvement, insurers must document the identification and remediation and make such documentation available for inspection.
Notification of cybersecurity events
The law requires licensees to notify the Department of Insurance of certain cybersecurity events, defined as “an event resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system.” The law also requires documentation of all cybersecurity events to be maintained for a period of five years from the date of the event and to be produced upon demand.
If a licensee learns that a cybersecurity event has occurred or may have occurred, they must conduct an appropriate investigation of the matter. If a cybersecurity event has indeed occurred and the licensee is domiciled in South Carolina, or if (a) the nonpublic information involved relates to no less than 250 South Carolina consumers and (b) notice is required to any governmental body, self-regulatory agency, or supervisory body or has a reasonable likelihood of materially harming either a South Carolina consumer or a material part of the normal operations of the licensee, licensees must notify the director within 72 hours of determining that a triggering cybersecurity event occurred. The notification to the director must include specified content to the extent available, including among other things the date of the cybersecurity event, a description of the event, and how the event was discovered.
Notably, there are particular notification rules for licensees “acting as an assuming insurer,” requiring the assuming insurer to notify the affected ceding insurers and “the director of its state of domicile” within 72 hours of the determination that a cybersecurity event has occurred. The ceding insurer is required to notify consumers consistent with South Carolina’s data breach notification law. This provision is notable for apparently requiring insurers to notify regulators outside of South Carolina of cybersecurity events in certain circumstances.
There are also particular notification rules for cybersecurity events involving nonpublic information and a licensee that is an insurer “for which a consumer accessed the insurer’s services through an independent insurance producer.” In this scenario, the insurer is required to notify the producers of record of all affected consumers “as soon as practicable as directed by the director,” except for those instances in which the insurer does not have the current producer of record information for an individual consumer.
At a glance: comparison to NYDFS cybersecurity rules
Aspects of the South Carolina law will be familiar to companies that have dealt with the NYDFS cybersecurity rules. To begin with, the laws are similar in scope: both cover nonpublic information and information systems, with nearly identical definitions for each term. At a high level, both laws require companies to perform a risk assessment, develop a security program in some form, develop an internal governance structure, certify compliance to the regulator, and notify the regulator of cybersecurity events in specified circumstances.
Many of the requirements of the South Carolina law also have a direct parallel to NYDFS requirements. Each law requires “audit trails” with respect to material financial transactions and cybersecurity events; includes a requirement related to secure development of in-house applications and evaluation of externally developed applications; and requires use of effective controls, potentially including multi-factor authentication, with respect to accessing nonpublic information.
There are also, however, meaningful differences between the two laws. For instance, the NYDFS rules are much more prescriptive with respect to third-party service provider security requirements. While the South Carolina law merely requires “due diligence” and that service providers implement appropriate security measures, the NYDFS rules require covered entities to develop a full policy on third parties, notably including guidelines addressing the specific security practices of third party service providers (e.g., access controls, use of encryption, and notice to be provided to the covered entity in the event of a cybersecurity event).
Another key difference is the provisions requiring covered entities to have qualified cybersecurity personnel and appropriate training for such personnel. These provisions have no clear parallel in the South Carolina law, which merely requires licensees to consider training and awareness policies in the context of the WISP.
Even some security measures referenced in both laws are subject to different standards. As an example, both laws require the use of effective controls (including multi-factor authentication) with respect to access to nonpublic information. However, NYDFS also requires the use of multi-factor for any individual accessing a covered entity’s internal network from an external network (or an equivalent or more secure access control).
Lastly, NYDFS expressly requires companies to conduct annual penetration testing and to conduct bi-annual vulnerability assessments. Aside from a general requirement for licensees to monitor systems and procedures to detect attacks on information systems, there is no clear parallel to these requirements in the South Carolina law.