Gerber Life Compliance Update
The state of South Carolina, enacted the South Carolina Insurance Data Security Act (2018 S.C. Act No. 171(“ACT”). The Act will address and implement data security through a series of bulletins.
The Bulletin specifically addresses exemptions from the information security program requirements, and states in part the following:
- Licensees are exempt from the requirements, including developing their own information security programs: 1) a licensee has fewer than ten employees; 2) a licensee who is an employee, agent, of a licensee to the extent that they are covered by the information security program of another licensee; 3) a licensee who is subject to HIPAA; 4) a licensee who is subject to NY Cybersecurity regulation.
- While a licensee may be exempt from developing a program, the licensee must still comply with the other provisions of the Act, including reporting of cybersecurity events.
- Absent an exemption, all licensees are required to develop, implement and maintain a comprehensive written information security program based on the licensee’s risk assessment. The cybersecurity program should be commensurate with the size and complexity of the company, the nature and scope of its activities, including its use of third-party service providers, and the sensitivity of nonpublic information used/stored by the company.
- If a Licensee does not qualify for an exemption, they have 180 days to comply with all the requirements of the Act.
- A copy of the form can be found on the Department’s website at www.doi.sc.gov/cyber.
View Full Blog