In May of this year, South Carolina became the first state to officially adopt the National Association of Insurance Commissioners (NAIC)’s Model Law on CyberSecurity. While the law is a first in that it’s specific to the insurance industry, many organizations that have already adopted controls for SOX, PCI DSS, and HIPAA, to name few, may find its implementation less onerous that it might appear at first glance. As the deadline for implementation (January 1, 2019[i]).fast approaches, it is worth looking at the requirements of the Model Law and the impact the Law will have on the industry as a whole.
The Act requires persons licensed to operate under the insurance laws of the state to enact a minimum level of data security controls be implemented to protect non-public information. Interestingly the law takes a broader definition of non-public information than may state data security or data breach notification laws. For the purposes of this law, not only is the personal information of the consumer to be protected, but the law also specifically calls for protection for “business-related information of a licensee the tampering with which[sic], or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee.” It is unusual in data protection or data privacy law to see a requirement to protect the information of businesses, but in this instance, it is an obvious broadening of protections. Licensees may in fact be individual agents, so the protection of their information is akin to the protection of employee information, such as those protections included in California’s Consumer Privacy Act. (As a side note, a wonderful analysis of the CCPA is available on the International Association of Privacy Professionals website).
As I stated, those organizations that already have experience with SOX, PCI DSS, or HIPPA may recognize quite of few of the requirements of the South Carolina Insurance Data Security Act. Many of the elements are considered by security professionals to be “table stakes,” minimum requirements for doing business securely in today’s environment. These controls include:
- A risk assessment;
- A written information security policy that is commensurate with the size and complexity of the licensee’s organization and is based on the risk assessment;
- One or more employees that are designated as being responsible for the licensee’s information security program;
- A vendor management program;
- An Incident Response Plan, which includes a data breach notification process; and
- An annual attestation submitted to the Director of the Department of Insurance.
What’s interesting to note here, and is a position that I’ll often profess, is that in many cases compliance can be a byproduct of good Governance, Risk, and Compliance (GRC) programs. Companies that are well-versed in GRC and information security may already have these measures in place, irrespective of any regulatory obligation to do so. Those organizations are well-positioned when a state then adopts new security rules. In those cases, the organization may be required to make some changes to its processes, but may avoid the total overhaul that a company less familiar with GRC practices may find themselves undertaking.
The South Carolina law is very similar to the New York Data Security Act, which was passed in 2015. In addition, as alluded to in the introductory paragraph, the law is essentially an adoption by South Carolina of the NAIC’s Model Law. NAIC is actively encouraging states to adopt the laws and has even “recommended that Congress should consider preempting the states if it is not adopted in 5 years.” More information can be found on the Model Law at NAIC’s website. Over the coming years, it will be interesting to observe the trend at the state level in terms of adoption of the Model Law. This might just prove to be a good time for a forward-thinking compliance officer to begin crafting a program to incorporate some of the clauses in the Model Law.
[i] The state has enacted an extended deadline for portions of the law. These deadlines are:
July 1, 2019 for Section 39-99-20
July 1, 2020 for Section 39-99-20(f)