Ask Reggi Your Question Now
Can you summarize SCCL 38-99-40?
INSURANCE DATA SECURITY ACT > Notification requirements following cybersecurity event.
Short Summary
This legal document, known as the South Carolina Insurance Data Security Act, outlines the notification requirements that licensees, including insurers and producers, must follow in the event of a cybersecurity event. Licensees must notify the director within 72 hours of determining that a cybersecurity event has occurred. This requirement applies if South Carolina is the licensee’s state of domicile or home state, or if the licensee reasonably believes that the event involves nonpublic information of at least 250 consumers residing in South Carolina and has a reasonable likelihood of materially harming a consumer or the licensee’s normal operations. The document specifies the information that must be provided to the director, including the date of the event, description of the event, recovery efforts, information about the source of the event, and the number of affected consumers. The document also addresses notification requirements for assuming insurers and third-party service providers. Compliance with other applicable laws and regulations is required, and a copy of the consumer notification must be provided to the director. The document does not mention specific penalties for non-compliance.
Whom does it apply to?
Licensees, including insurers and producers, who are either domiciled in South Carolina or have nonpublic information of at least 250 consumers residing in South Carolina
What does it govern?
Notification requirements following a cybersecurity event
What are exemptions?
No exemptions are mentioned.
What are the Penalties?
Not specified in the provided document.
Jurisdiction
South Carolina