Can I skip having an information security program in place in South Carolina? What are the requirements?

Information Security Program Requirements in South Carolina

Based on the South Carolina Insurance Data Security Act ^[1.1], all licensees are required to develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system. The information security program must be designed to:

• Protect the security and confidentiality of nonpublic information and the security of the information system.
• Protect against threats or hazards to the security or integrity of nonpublic information and the information system.
• Protect against unauthorized access to or use of nonpublic information.
• Minimize the likelihood of harm to a consumer.

The licensee must designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee as responsible for the information security program, identify reasonably foreseeable internal or external threats that could result in the unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information, assess the likelihood and potential damage of these threats, assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, implement information safeguards to manage the threats identified in its ongoing assessment, and at least annually assess the effectiveness of the safeguards’ key controls, systems, and procedures.

Therefore, licensees in South Carolina are required to have an information security program in place, and cannot skip this requirement. The information security program must be designed based on the licensee’s risk assessment and must contain administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system.

Exemptions from Information Security Program Requirements

However, there are some exemptions from the provisions of Section 38-99-20 ^[1.5]. The following licensees are exempt from the provisions of Section 38-99-20:

• A licensee with fewer than ten employees, including any independent contractors.
• An employee, agent, representative, or designee of a licensee, who is also a licensee, is exempt from the provisions of Section 38-99-20 and need not develop its own information security program to the extent that the employee, agent, representative, or designee is covered by the information security program of the other licensee.
• A licensee subject to the Health Insurance Portability and Accountability Act, Pub.L. 104-191, 110 Stat. 193.

Investigation and Notification Requirements

In case of a cybersecurity event, the licensee must conduct a prompt investigation of the event ^[1.3]. The licensee shall notify the director no later than seventy-two hours after determining that a cybersecurity event has occurred ^[1.4]. The licensee shall provide as much information as possible, including the date of the cybersecurity event, a description of how the information was exposed, lost, stolen, or breached, and the identity of the source of the cybersecurity event. The licensee shall comply with the notice requirements of Section 39-1-90, and other applicable law and provide a copy of the notice sent to consumers to the director when a licensee is required to notify the director.

No Creation of Liability

Nothing in the South Carolina Insurance Data Security Act creates any duty or liability for a provider of communication services for the transmission of voice, data, or other information over its network ^[1.2].

Therefore, based on the South Carolina Insurance Data Security Act, all licensees are required to have an information security program in place, except for those who are exempted.

Source(s):

• [1.1] Information security program; compliance.
• [1.2] No creation of liability.
• [1.3] Investigation of cybersecurity events; records.
• [1.4] Notification requirements following cybersecurity event.
• [1.5] Exemptions from provisions of chapter.

Jurisdiction

South Carolina

• Privacy