September 18, 2021

Volume XI, Number 261

Advertisement

September 17, 2021

Subscribe to Latest Legal News and Analysis

September 16, 2021

Subscribe to Latest Legal News and Analysis

September 15, 2021

Subscribe to Latest Legal News and Analysis

US Breach Laws Are Coming: South Carolina

In another change to US state breach notice laws in 2019, South Carolina will have new breach notice requirements for insurance companies. The requirements follow the National Association of Insurance Commissioners’ Insurance Data Security Model Law. South Carolina was the first to adopt the model text into law, and it is this law that is going into effect on January 1, 2019.  South Carolina joins others states, including Connecticut and New York, to have breach notice requirements for insurance companies. The law will be a supplement to the requirements that financial companies, including insurance companies, already face under Gramm-Leach-Bliley Act. 

Companies must promptly investigate potential breaches under this new law. If a breach has occurred, they will often also have to notify the Director of Insurance within 72 hours. This notification must happen either if the company is regulated by the director or if the information of 250 South Carolina residents is affected.  The same obligations apply when a vendor is impacted.

The law also speaks to steps that must happen before a breach occurs. Not only do insurance companies need to have an incident response plan, they must also have a comprehensive information security program in place by July 1st, 2019.  The program must include risk assessments and be appropriate both to the company’s size and to the scope of its data assets. Companies will also be required to vet third-party vendors and make sure they have appropriate cybersecurity controls.  Additionally, the law requires that senior leadership, including the Board, be involved in this program.

Putting it Into Practice: Insurance companies should keep this new law in mind, in particular the notification requirement for when 250 or more residents have been impacted. Also noteworthy are the pre-breach steps, including an incident response plan and information security program. This is the second in our series of upcoming breach notice obligations going into effect January 1, 2019. Click here for the first article.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VIII, Number 353
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Shanna Pearce, Sheppard Mullin, San Diego, litigation, class action, intellectual property, IP, copyrights, false advertising, commercial litigation, lanham act, unfair competition
Associate

Ms. Pearce represents businesses in the areas of intellectual property and commercial litigation, from trademark and copyright matters to consumer class actions. She has represented Fortune 500 companies in complex actions involving allegations of copyright violation, breach of contract, fraud, and unfair business practices. She has also defended retailers and financial institutions in class actions alleging violations of statute and federal laws relating to false advertising, unfair competition, pricing practices, and lending disclosures. Ms. Pearce’s litigation...

858-720-7475
Advertisement
Advertisement
Advertisement