South Carolina is the first state to enact cybersecurity legislation for the insurance industry. Gov. Henry McMaster signed The South Carolina Insurance Data Security Act. The bill requires SC insurers to protect customer data. They must “develop, implement, and maintain a comprehensive information security program.”

The new law applies to anyone licensed or who is required to be licensed, registered, or authorized to operate under SC’s insurance laws. The act requires “licensees” to prevent, detect, and respond to customer data breaches. Those who don’t comply face fines and penalties. Those subjected to Health Insurance Portability and Accountability Act (HIPAA) may be exempt. Certain groups whose charter/license is in another state may also be exempt.

Licensees have until January 1, 2019, comply with reporting requirements and other provisions. They have until July 1, 2019, to begin and maintain their programs.

What will it look like? Licensees must conduct a risk assessment and implement measures to prevent cybersecurity breaches. They need to assess their efforts on a regular basis. They must establish a procedure for responding to threats. If they find issues, they must adjust their procedures and equipment to keep data safe.

The law imposes a duty on the licensee’s board of directors to enforce compliance. The board must, at minimum, require management to develop, carry out, and maintain the plan. A designated individual or vendor will act as the responsible party. They must prepare an annual report for the board. They’re also responsible for detection, prevention, and response to threats.

If an incident occurs, the responsible party must investigate. They’re required to file a report of the event and customers must be notified. Depending on the scenario, they may also need to notify the state department of insurance.