The South Carolina Insurance Data Security Act (2017 S.C. Act No. 171, R. 184, H. 4655) was passed in May, 2018.  The purpose of this legislation is to ensure that licensees of the South Carolina Department of Insurance have a strong and aggressive cybersecurity program to protect the personal data of consumers in South Carolina and elsewhere.

Applicability

The Act applies to any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of South Carolina.  It expressly excludes (i) out of state purchasing groups or risk retention groups; and (ii) out of state licensees who are only acting as an assuming reinsurer.

Seal of the state of South CarolinaExceptions:  Licensees or independent contractors meeting one or both of the conditions below will be exempt.

  • with fewer than 10 employees or
  • licensees that are able to certify compliance with the requirements of HIPAA via a written certification

Effective Date

The Act is effective January 1, 2019.  Upon this date, licensees must comply with the reporting requirements regarding a cybersecurity event.

Implementation Date

Licensees have until July 1, 2019 to implement the requirements of the Act if performing the work in-house.  If outsourcing the work to a third-party, licensees have until July 1, 2020 to implement the requirements.

Non-Compliance Penalties

A licensee who violates a provision of the South Carolina Insurance Data Security Act is subject to one or more of following penalties per South Carolina Law Title 38, Chapter 2, Section 10.

  • Up to a $30,000 fine from the South Carolina Department of Insurance
  • Suspension or revocation of the violator’s authority to do business in South Carolina
  • Criminal penalties provided by law or any other remedies provided by law

PIRC

Section 38-99-20(F)(2) of the Act requires licensees who delegate their responsibilities under the Act to require third-party service providers to “implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.”