The ramp-up of cybersecurity regulation, albeit in a patchwork fashion through state-level legislation, has begun. On May 18, 2018, South Carolina enacted the Insurance Data Security Act (Act), becoming the first state to pass legislation based upon the Insurance Data Security Model Law that was approved by the National Association of Insurance Commissioners (NAIC) last October. The Act makes very little change to the model law’s text, which in turn, is based on 23 NYCRR § 500, et seq., the cybersecurity regulations promulgated by the New York State Department of Financial Services in March 2017. The Act establishes stringent standards for both data security programs, and an entity’s response to a “cybersecurity event” through an organized and methodical investigation and notification to the state’s Department of Insurance. Like New York’s cybersecurity regulations, the Act requires insurers to submit to the Department of Insurance annual certification of compliance and has a ratcheted implementation of portions of the legislation on insurers and brokers operating or otherwise licensed to do business in the state. It does not create a private cause of action.
Reprinted courtesy of White and Williams LLP attorneys Richard Borden, Sedgwick Jeanite and Joshua Mooney
Mr. Borden may be contacted at firstname.lastname@example.org
Mr. Jeanite may be contacted at email@example.com
Mr. Mooney may be contacted at firstname.lastname@example.org