Friday, May 31, 2019

The SC Insurance Data Security Act: Ask Some Questions to Evaluate Your Security Program



The South Carolina Insurance Data Security Act (“Act”), fashioned after the NAIC Insurance Data Security Model Law (Model Law), went into effect on January 1, 2019. South Carolina was the first state in the nation to pass this legislation, and others (Ohio, Mississippi), have followed suit.

The Act requires that each South Carolina person licensed or authorized by the South Carolina Department of Insurance (DOI) a “Licensee” must implement, no later than July 1, 2019, a “comprehensive written information security program” (“Program”) designed to protect nonpublic information (NPI) and the security of the Licensee’s information system.

In addition, the Act requires a Licensee to report to the Director of the DOI within 72 hours following an actual or potential “cybersecurity event.” S.C. Code Section 38-99-40(A) (Section 6(A) of the Model Act).

While South Carolina Licensees (hopefully) are well down the path to meeting the Act’s requirements, the following may be useful for insurance businesses in other jurisdictions who may face compliance with a version of the Model Law in the future. More broadly, the questions that the Act forces insurance businesses to answer are useful for any business seeking to implement, evaluate, or improve its information security program. 

1.     Who is Responsible for Your Information Security Program?

The Act requires that each Licensee “designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the Licensee who is responsible for the information security program.” S.C. Code Section 38-99-20(C)(1) [Section 4(C)(1) of the Model Act].

More particularly, S.C. Code Section 38-99-40(B)(13) [Section 6(B)(13) of the Model Act] requires a Licensee, following a cybersecurity event, to provide the director of the DOI with “the name of a contact person who is both familiar with the cybersecurity event and authorized to act on behalf of the licensee.” 
Where Does the Security Buck Stop?

The Act, like many other statutory and regulatory provisions designed to protect sensitive information and information systems (for example the Gramm-Leach-Bliley Act Safeguards Rule and the New York State DFS Cybersecurity Requirements for Financial Services Companies) recognizes that no effective information security program happens without appropriate oversight and responsibility.

2.     Are You Conducting Ongoing Risk Assessments?

In order to develop the Program required by the Act, a Licensee must first determine those information risks (threats) it faces, and then choose those measures it will implement in order to address those risks.

In fact, the Act explicitly anticipates that a Licensee’s Program will be “based on the licensee’s risk assessment.” S.C. Code Ann. Section 38-99-20(A) [Section 4(A) of the Model Act]. The Act goes further, setting out some of the things that an appropriate risk assessment will address, including:
  • Identifying internal and external threats (including those faced by third-party service providers) that could compromise NPI;
  • Determining how likely and how potentially damaging those threats may be, in view of how sensitive the NPI is;
  • Evaluating how well your policies, procedures, information systems, and other protections work in managing these threats;
  • Detecting, preventing, and responding to attacks, intrusions, and other system failures; and
  • Implementing safeguards identified in an ongoing risk assessment, and revisiting those safeguards at least annually.

The Act does not require that an independent party conduct a risk assessment, but consider whether an “in-house” evaluation could be robust enough to provide meaningful feedback, or withstand scrutiny by a regulator.  

3.     What Nonpublic Information Do You Collect, Store, and Share?

The Act requires each Licensee create a Program for the “protection of” NPI. S.C. Code Section 38-99-20(A), [Model Act Section 4(B)]. Broad brush, the Act defines NPI as information that is not publicly available and that meets certain other characteristics. Of course, other applicable laws, and your own business interests may determine what your organization considers NPI or information worthy of protection.

If you do not know what NPI you store, where and how you store it, and who and what is responsible for protecting that NPI, then you cannot quickly or effectively respond when NPI goes missing or is compromised. More generally, you cannot make a plan to protect NPI unless and until you have answered these questions.


Have you created a written document that maps NPI and other sensitive information (visually and otherwise) by the places (servers, physical locations, etc.) where it is stored, inventories that information, identifies who is responsible for managing that information, and classifies the information based on how sensitive or important it is?

4.     How Do You Protect NPI When You Store It and Share It?

When you store NPI or send NPI outside your business, do you employ encryption technologies to secure that NPI?

The Act mentions a number of potential security measures that Licensees should consider and implement as appropriate. In particular, the Act recommends, “protecting by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media.” S.C. Code Section 38-99-20(D)(2)(d), [Model Act Section 4(D)(2)(d)].

Notably, the Act excludes encrypted NPI from the definition of a “cybersecurity event” as long as the “encryption key” is not compromised. S.C. Code Section 38-99-10(3), [Model Act Section 3(D)].
Other regulatory frameworks provide similar “safe harbors” for properly encrypted NPI.

5.     How Do You Limit Access to NPI?

The Act recognizes that one potential threat to the security of NPI arises not from outside hackers, but from inside an organization.

Accordingly, the Act suggests “placing access controls on information systems, including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of nonpublic information.” S.C. Code Section 38-99-20(D)(2)(a), [Model Act Section 4(D)(2)(a)].

Access controls ensure the principle of least privilege — meaning an employee only has access to that information necessary for her to perform her job. Giving all employees access to NPI outside of their normal job function can create a potential cybersecurity event.


6.     With Whom Are You Sharing NPI?

The Act requires a Licensee to “exercise due diligence” selecting any third-party service provider that will have access to NPI, and further to require any such third-party service provider to implement appropriate measures to secure information systems and NPI. S.C. Code Section 38-99-20(F), [Model Act Section 4(F)].

A written agreement between a business and any third-party service provider handling NPI is necessary to set out appropriate obligations and remedies. For more on appropriate vendor management, click here.

7.     Do You Have an Incident Response Plan?

The Act requires a Licensee to “establish a written incident response plan” as part of its Program, (S.C. Code Section 38-99-20(H)(1)) [Model Act Section 4(H)] , and lists a number of elements that must be included in that plan, including:

  •         the process for responding to a cybersecurity event,
  •         the goals of an incident response plan,
  •         defining roles, responsibility, and decision-making authority during an event,
  •         identifying requirements for addressing weaknesses, and
  •         documenting and reporting cybersecurity events and incident response activities.
The Act recognizes that the mere act of creating an incident response plan in advance allows an organization to respond more effectively following a cybersecurity event.


As Nassim Nicholas Taleb notes,
“It is preferable to take risks one understands than understand risks one is taking.”
Conclusion

South Carolina insurance Licensees are complying with the Act because they have to. However, the requirements of the Act embody fundamental security concepts and controls that apply to any organization that stores and shares NPI.