South Carolina has become the first state in the nation to pass a cyberscurity law which covers insurance companies who do business in the state.
Governor Henry McMaster signed the bill last week.
Department of Insurance director Ray Farmer said more than 120 million U.S. citizens have had their personal health insurance information compromised due to security breaches at several large companies. He believes the law will be a model for other states to adopt as data security becomes an issue for every industry.
“It provides some consumer protection to further help safeguard that extremely important and private information,” he said. “It requires insurance companies to beef up their data security.”
Farmer chaired the National Association of Insurance Commissioners Cybersecurity Working Group that drafted the law.
“South Carolina is now the first in the nation to pass a comprehensive data security insurance law,” Farmer said. “This sets South Carolina apart and shows we are dedicated to keeping insurance information safe. In this day where cybersecurity breaches are a real and ongoing threat it is best to take a proactive approach to protecting data before there is an issue, rather than trying to fix a breach once it has happened.”
“It requires a company, in an event they do have a breach, to notify the regulator, and in this case, the Department of Insurance, within 72 hours,” he said. “And at that point we can form a partnership with the company to see what we need to do to protect consumers, the citizens of this state.”
Farmer said the law sets protections for consumers, gives guidelines to companies and gives guidelines to regulators.
The new requirements include that companies must maintain an information security program based on ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cybersecurity event. Other provisions that the new law provides include:
• Safeguarding individual insurance policy holder’s personal information as a high priority
•Establish data security standards. The law applies to insurance companies licensed by the state to mitigate the potential damage of a data breach
•Insurance companies must also develop, implement and maintain secure information
“The United States Department of Treasury has commended the regulators for developing the model bill and has encouraged every state to adopt it and to adopt it within the next several years,” Farmer said.
All insurance companies doing business in South Carolina will have to comply with the law.