South Carolina Will Require Insurers to Implement Heightened Security Measures
As of January 1, 2019, insurers who are doing business in South Carolina will be required to create and maintain a “comprehensive information security program.” The security measures will be based on ongoing risk assessment, and the insurers will need to oversee third-party providers, look into any potential breaches, and notify regulators within three days of an event that affects more than 250 residents.
“It provides some consumer protection to further help safeguard that extremely important and private information,” said South Carolina Department of Insurance Director Ray Farmer. “It requires insurance companies to beef up their data security.” Farmer further indicated that more than 120 million Americans have had their health insurance information potentially released to third parties. The number, it has been estimated, could be even higher, which is why the new measures are so important.
“The United States Department of Treasury has commended the regulators for developing the model bill and has encouraged every state to adopt it and to adopt it within the next several years,” he continued. “South Carolina is now the first in the nation to pass a comprehensive data security insurance law. This sets South Carolina apart and shows we are dedicated to keeping insurance information safe. In this day where cybersecurity breaches are a real and ongoing threat, it is best to take a proactive approach to protect data before there is an issue, rather than trying to fix a breach once it has happened.”
According to a system that tracks healthcare data breaches, between 2009 and 2017, 2,181 issues involving more than 500 records were recorded. In total, that is over 175 million healthcare records for more than 176 million Americans – higher than the estimate provided.
Damian Caracciolo, vice president of the executive protection practice at Cbiz Inc., a financial services company, says that “it’s certainly important to put those things into words—that you have to be compliant—but most insurance carriers and most financial institutions are already compliant with those laws.” He added, “I don’t think it will have a significant impact on the major carriers. It may impact some smaller regional that are ramping up their efforts. I think it would be more critical if they required every carrier to have [insurance] coverage.”
“Considering the recent series of data breaches, cyber security is more important now than ever,” said Ted Nickel, National Association of Insurance Commissioners (NAIC) President and Wisconsin Insurance Commissioner. The NAIC is the U.S. standard-setting and regulatory support organization created and overseen by the chief insurance regulators from all 50 states, the District of Columbia and the five U.S. territories. “Regulators have a critical role to play in protecting consumers as the cyber landscape continues to evolve and this model law sets cybersecurity customs for insurers to help safeguard consumers,” Nickel added.
While South Carolina’s cyber security measures, including its notification requirement for all licensed insurers, officially goes into effect Jan. 1, 2019, insurers will be required to provide written security plans to state regulators starting July 1, 2019. That means, they will need to have the proposed tools in place, including a comprehensive system, within the first six months.