Download PDF

News & Events

Is South Carolina’s Insurance Data Security Act a harbinger of things to come for U.S. insurance companies?

On New Year’s Day, the South Carolina Insurance Data Security Act went into effect.  Notably, the Act is modeled after the NAIC Insurance Data Security Model Law.  And South Carolina is the first state to adopt it.

The Act requires insurance companies to notify state regulators within 72 hours of confirming that a cybersecurity event occurred.   But this is just the first of a few changes coming to the Palmetto State.  In July 2019, licensed insurance companies will be required to implement written information security policies that include employee training, encryption of certain data in transit, and internal risk assessments.  In February 2020, companies will be required to submit an annual certification to state regulators confirming that they are in compliance with the Act.  By July 2020, they will also be required to implement third-party vendor due diligence policies.

Written by Lafayette attorney, Steven Bucher. To learn more about him, you may visit his bio here.