South Carolina Agent & Broker Winter 2019
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
No. 1: The law applies to ALL SC Department of Insurance licensees –<br />
producers, agencies, brokers, insurance companies – and excludes a very<br />
limited and narrow group. If you do not have electronic information, do<br />
NOT have any Nonpublic Personal Information (NPI) or are a risk retention<br />
group – then you do not have to comply with the new law.<br />
No. 2: ALL producers/agencies must report ALL data breaches to the SC<br />
Department of Insurance. There are no exemptions from this part of the law.<br />
Beginning Jan. 1, <strong>2019</strong>, any loss of electronic data that contains Nonpublic<br />
Personal Information must be reported online to the SC Department of<br />
Insurance within 72 hours of discovery.<br />
<strong>South</strong> <strong>Carolina</strong> resident agencies/producers must report all breaches<br />
regardless of the amount of records.<br />
Non-resident agencies/producers must report a breach if:<br />
1. Nonpublic information of 250 or more <strong>South</strong> <strong>Carolina</strong> consumers is<br />
involved and either<br />
a. Notice is required to be provided to a governmental or selfregulatory<br />
agency or any other supervisory body pursuant to state<br />
or federal law or<br />
b. The cybersecurity event has a reasonable likelihood of materially<br />
harming:<br />
i. Any consumer residing in <strong>South</strong> <strong>Carolina</strong>.<br />
ii. Any material part of the normal operations of the licensee.<br />
No. 3: There are limited exemptions for some. Exemptions from part of<br />
the law apply to:<br />
1. Licensee with fewer than 10 employees including independent<br />
contractors.<br />
2. Licensee that comes under another licensee security plan (an individual<br />
producer would normally be covered under an agency security plan).<br />
3. Licensees subject to HIPAA that submit written certification of<br />
compliance with HIPAA.<br />
4. Licensees that certify compliance with the New York Cyber Security<br />
Regulation.<br />
The exemption only applies to having a written security plan – all licensees<br />
must comply with the reporting requirements. Also, qualifying for an<br />
exemption does not exempt a licensee from protecting NPI under other state<br />
and federal laws such as the Gramm Leach Bliley Act, Fair Credit Report Act/<br />
Fair and Accurate Credit Transactions Act, the Federal Trade Commission<br />
Act and HIPAA. For more details on the requirements of these laws, visit our<br />
cyber resource page (see sources below).<br />
No. 4: If you do not qualify for one of the exemptions listed in No. 3, there<br />
are additional requirements for producers/agencies. These requirements<br />
include:<br />
1. Conducting a risk assessment of your agency. Risk assessment will be<br />
different for each licensee – depending on the size and complexity<br />
of your operation. The assessment should include identification of<br />
reasonably foreseen internal and external threats to NPI, evaluation of<br />
policies, procedures and information systems to protect against threats<br />
and continued monitoring to assess effectiveness of safeguards.<br />
2. Implementing an information security program (deadline is July<br />
1, <strong>2019</strong>). Your agency should compile a written security plan that<br />
addresses any known or suspected threats as well how your office will<br />
respond to a cybersecurity breach. IIABSC members can start with<br />
the downloadable cyber security plan template available through the<br />
<strong>Agent</strong>s Council on Technology (this tool available to IIABSC members<br />
only).<br />
3. Providing cybersecurity awareness training for employees and third<br />
parties. Employees should be trained to protect NPI data, they should<br />
be taught to alert management for suspicious computer activity,<br />
they should be taught to recognize email scams, they should learn<br />
to safeguard computers by locking them and keeping them secure,<br />
changing and protecting passwords according to the agency policy, and<br />
being familiar with the laws that protect the information they us to<br />
perform their jobs.<br />
4. Exercising due diligence with the selection of third-party vendors,<br />
requiring them to implement the necessary security measures (deadline<br />
is July 1, 2020). There will be more guidance on this requirement from<br />
the SC Department of Insurance. Ultimately, SC licensees will be held<br />
accountable for the actions of third-party vendors with which the<br />
agency works with and has access to agency NPI.<br />
No. 5: One size does not fit all. Please understand that there is no single<br />
answer to compliance with this new law. Each agency/producer may use<br />
different solutions to comply. Whatever tract your operation takes, document<br />
your compliance efforts. While you do not have to report to the DOI how<br />
you are complying with the law, in the event of a data breach in your agency,<br />
the DOI investigation will include an analysis of your preparation and<br />
prevention. Other tips for effective compliance include:<br />
• Be methodical in your approach to compliance.<br />
• Assign responsibilities for the ISP and hold people accountable.<br />
• Devote the necessary time and resources to your risk assessment.<br />
• Develop a plan/framework for your information security program with<br />
checklist(s) for each significant part of the Act.<br />
• Develop security policies, standards and guidelines based on your<br />
business’ risk assessment.<br />
• Train your employees.<br />
Other sources for help:<br />
• IIABSC has a dedicated resource web page for the SC Insurance Data<br />
Security Act that has additional information and resources to help<br />
agencies comply. Find it at iiabsc.com/cybersecurity.<br />
• There is also complete information on the law and access to the DOI<br />
bulletins at the SC Department of Insurance cyber resource page, found<br />
at www.doi.sc.gov/cyber. We recommend watching the DOI webinar<br />
overview of the law and reviewing the PowerPoint presentation<br />
prepared by DOI staff.<br />
• IIABSC members can review and download additional cyber<br />
tools and resources from ACT – <strong>Agent</strong>s Council on Technology –<br />
including a downloadable cyber security plan template. Find them at<br />
independentagent.com/act.<br />
• Your IT support team will also be a valuable resource for helping<br />
comply – from helping assess your risk to implementing technology<br />
safeguards and protocols.<br />
• All agencies should consider a cyberliability insurance policy. Cyber<br />
insurance policies with breach response coverage are an affordable<br />
and valuable protection for your agency should you have to respond<br />
to a data breach in your agency. IIABSC offers cyberliability insurance,<br />
complete with an online risk assessment of your agency, from Coalition.<br />
This program is also available to offer your clients. Learn more on our<br />
website, iiabsc.com/cyberliability.<br />
Protection of your client’s personal information is one of the highest<br />
priorities you and your staff should have. Be proactive and implement the<br />
necessary steps to not only comply with SC law, but to safeguard your client’s<br />
information. For more information regarding the SC Insurance Data Security<br />
Act, contact Becky McCormack (bmccormack@iiabsc.com) or Frank Sheppard<br />
(fsheppard@iiabsc.com) at IIABSC, 803-731-9460.<br />
<strong>Winter</strong> <strong>2019</strong> • <strong>South</strong> <strong>Carolina</strong> <strong>Agent</strong> & <strong>Broker</strong> 11