Quick Links:

On May 3, 2018, Governor Henry McMaster signed into law the South Carolina Insurance Data Security Act (the "Act").  The Act became effective on January 1, 2019.  South Carolina was the first state in the nation to pass this important and timely legislation which was modeled after the NAIC Insurance Data Security Model Law.  

The Act is codified in Title 38, Chapter 99 of the South Carolina Code of Laws.  The Act defines the requirements applicable to a "licensee" and establishes standards for data security and standards for the investigation of and notification to the Director of a cybersecurity event. 

Contact us via EMAIL with questions

Key Implementation Dates:

January 1, 2019

:  South Carolina Insurance Data Security Act becomes effective.  This requires, among other things, that a licensee notify the Director no later than 72 hours after determining that a cybersecurity event has occurred when certain criteria are met.

July 1, 2019

:  Licensees must have implemented Section 38-99-20 by this date.  This section requires that licensees establish a comprehensive, written information security program by July 1, 2019.

February 15, 2020

:  Beginning on this date, each insurer domiciled in South Carolina must annually submit to the Director a written statement certifying that the insurer is in compliance with the requirements set forth in Section 38-99-20. Domestic insurers required to submit a written statement will be contacted directly by the Financial Regulation & Solvency Division with further instructions prior to the February 15th deadline.

July 1, 2020

:  Licensees must have implemented Section 38-99-20(F) by this date.  This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.
  1. SC Bulletins
  2. Additional Information & Resources
The Department has issued a series of bulletins regarding the implementation of this legislation and each has been copied below for your ease of reference.

  1. Bulletin 2018-02. South Carolina Insurance Data Security Act.  This bulletin provides answers to questions such as to whom does the Act apply, what does the legislation do, and when will the legislation be effective.
  2. Bulletin 2018-09. Cybersecurity Event Reporting Form.  This bulletin addresses the process for reporting a cybersecurity event and provides guidance regarding what constitutes a cybersecurity event.  
  3. Bulletin 2018-12. Insurance Data Security Act Exemptions.  The bulletin provides more information on exemptions from the Act's information security program requirements.  Please be reminded that licensees qualifying for an exemption must still comply with other provisions of the Act. 
  4. Bulletin 2020-04. Third-Party Service Provider Deadline.  This bulletin outlines issues that licensees should consider when reviewing the use of third-party service providers as part of a licensee's broader information security program.

View a PDF copy of the "Report a Cybersecurity Event" form.  This form is used by licensees to fulfill the notification requirements under Section 38-99-40 (licensees must notify the Department no later than 72 hours after determining that a cybersecurity event has occurred).