Elliot Davis Cybersecurity Update: South Carolina Department of Insurance Data Security Act

Staff Report From South Carolina CEO

Monday, June 25th, 2018

On May 3, 2018, the governor of South Carolina signed the South Carolina Department of Insurance Data Security Act. The law is intended to protect personal information in the State of South Carolina from cybersecurity threats. The law goes into effect on January 1, 2019 and the first reports are to be sent to the Department of Insurance by July 1, 2019. The law implements rules for South Carolina licensees (insurers), agents and other licensed entities in regards to how they manage and secure information. This detailed law provides stringent requirements for entities requiring them to:

- Maintain a comprehensive information security program

- Establish an Incident Response Plan

- Report to the Director of the Department of Insurance annually

- Detect and respond to cybersecurity attacks and intrusions

- Provide sufficient training and awareness to staff and third parties that handle client data

- Implement access controls so that only employees with a ‘need to know’ can access client data

There are other components that need to be implemented in order for agencies, brokers and carriers to be compliant. Organizations with less than 10 employees/contractors are exempt.

We recommend that agencies, brokers and carriers that are impacted by this legislation begin analyzing their current information security programs to see how it aligns with these new requirements. If organizations do not have an information security program, now is a good time to develop one. In addition to complying with the new law, implementing the best practices outlined will protect corporations from the increasing threat of cybercriminals.

The Elliott Davis Cybersecurity Team has analyzed the new law and we are prepared to assist any way possible.