Skip Navigation

Impacts of South Carolina Cybersecurity Law on Non-residents

November 8, 2018
9:00 AM

Some agencies that hold a South Carolina non-resident license soon will need to comply with the state’s Insurance Data Security Act. Beginning on Jan. 1, 2019, non-resident agencies must report within 72 hours data breaches that affect at least 250 South Carolina records. By July, all agencies impacted by the law must have a written data security plan in place.

The following are exempt from the requirement:

  • Agencies with nine or fewer staff people (including independent contractors)
  • Licensed employees of a licensed agency that has a written data security plan in place
  • Licensed agencies that have an information security program that complies with the Health insurance Portability and Accountability Act (HIPAA) and provide certification to that effect

South Carolina is the first state to adopt this law – the National Association of Insurance Commissioners’ Insurance Data Security Model Law. The model law underwent a series of revisions to make it less onerous thanks to insurance industry advocacy efforts (including our own). While considerably improved from prior drafts, the adopted model law retains several contentious provisions. 

If your agency is impacted, review the bulletins provided by the South Carolina Department of Insurance.

Access Bulletin 2018-02 – details what the law does and who is impacted
Access Bulletin 2018-09 – defines what is (and isn’t) a data breach

For more information on written information security programs under Maryland privacy regulations and/or HIPAA, access our resources (see steps 6-A and 6-B):

Privacy resources