(A) If a licensee learns that a cybersecurity event has occurred or may have occurred, the licensee, an outside vendor, or service provider designated to act on behalf of the licensee must conduct a prompt investigation of the event.

(B) During the investigation, the licensee, outside vendor, or service provider designated to act on behalf of the licensee shall, at a minimum:

Terms Used In South Carolina Code 38-99-30

  • Cybersecurity event: means an event resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system. See South Carolina Code 38-99-10
  • Director: means the Director of the Department of Insurance or his designee. See South Carolina Code 38-99-10
  • Licensee: means a person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State but does not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction. See South Carolina Code 38-99-10
  • Nonpublic information: means information that is not publicly available information and is:

    (a) business-related information of a licensee the tampering with which, or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee;

    (b) any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify such consumer, in combination with any one or more of the following data elements:

    (i) social security number;

    (ii) driver's license number or nondriver identification card number;

    (iii) account number, credit or debit card number;

    (iv) security code, access code, or password that would permit access to a consumer's financial account; or

    (v) biometric records;

    (c) any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer and that relates to:

    (i) the past, present, or future physical, mental or behavioral health or condition of a consumer or a member of the consumer's family;

    (ii) the provision of health care to a consumer; or

    (iii) payment for the provision of health care to a consumer. See South Carolina Code 38-99-10
  • Third-party service provider: means a person not otherwise defined as a licensee that contracts with a licensee to maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee. See South Carolina Code 38-99-10

(1) determine whether a cybersecurity event occurred;

(2) assess the nature and scope of the cybersecurity event;

(3) identify nonpublic information that may have been involved in the cybersecurity event; and

(4) perform or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event in order to prevent further unauthorized acquisition, release, or use of nonpublic information in the licensee’s possession, custody, or control.

(C) If the licensee learns that a cybersecurity event has occurred or may have occurred in a system maintained by a third-party service provider, the licensee shall complete an investigation pursuant to the requirements of this section or confirm and document that the third-party service provider has completed an investigation pursuant to the requirements of this section.

(D) The licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and produce those records upon demand of the director.

  Previous section
Next section  
 Chapter 99 Contents