• Home

  • Documents

  • 2017-2018 Bill 856 Text of Previous Version (Jan. 9, 2018 ... Web view09.01.2018 ·...

If you can't read please download the document

2017-2018 Bill 856 Text of Previous Version (Jan. 9, 2018 ... Web view09.01.2018 · SECTION1.This act is known and may be cited as the “South Carolina Insurance Data Security

Embed Size (px)

Citation preview

2017-2018 Bill 856 Text of Previous Version (Jan. 9, 2018) - South Carolina Legislature Online

A BILL

TO AMEND THE CODE OF LAWS OF SOUTH CAROLINA, 1976, TO ENACT THE SOUTH CAROLINA INSURANCE DATA SECURITY ACT BY ADDING CHAPTER 99 TO TITLE 38 SO AS TO DEFINE NECESSARY TERMS; TO REQUIRE A LICENSEE TO DEVELOP, IMPLEMENT AND MAINTAIN A COMPREHENSIVE INFORMATION SECURITY PROGRAM BASED ON THE LICENSEES RISK ASSESSMENT AND TO ESTABLISH CERTAIN REQUIREMENTS FOR THE SECURITY PROGRAM, TO PROVIDE MINIMUM REQUIREMENTS FOR A LICENSEES BOARD OF DIRECTORS, IF APPLICABLE, TO REQUIRE A LICENSEE TO MONITOR THE SECURITY PROGRAM AND MAKE ADJUSTMENTS IF NECESSARY, TO PROVIDE THAT THE LICENSEE MUST ESTABLISH AN INCIDENT RESPONSE PLAN AND TO ESTABLISH CERTAIN REQUIREMENTS FOR THE INCIDENT RESPONSE PLAN, TO REQUIRE A LICENSEE TO SUBMIT A STATEMENT TO THE DIRECTOR OF THE DEPARTMENT OF INSURANCE ANNUALLY; TO ESTABLISH CERTAIN REQUIREMENTS FOR A LICENSEE IN THE EVENT OF A CYBERSECURITY EVENT; TO REQUIRE A LICENSEE TO NOTIFY THE DIRECTOR OF CERTAIN INFORMATION IN THE EVENT OF A CYBERSECURITY EVENT; TO GRANT THE DIRECTOR THE POWER AND AUTHORITY TO EXAMINE AND INVESTIGATE A LICENSEE; TO PROVIDE THAT DOCUMENTS, MATERIALS, OR OTHER INFORMATION IN THE CONTROL OR POSSESSION OF THE DEPARTMENT MUST BE TREATED AS CONFIDENTIAL AND TO AUTHORIZE THE DIRECTOR TO SHARE OR RECEIVE CONFIDENTIAL DOCUMENTS UNDER CERTAIN CIRCUMSTANCES; TO PROVIDE EXEMPTIONS FROM THE PROVISIONS OF THIS CHAPTER; TO PROVIDE PENALTIES FOR VIOLATIONS; AND TO AUTHORIZE THE DIRECTOR TO PROMULGATE REGULATIONS.

Be it enacted by the General Assembly of the State of South Carolina:

SECTION1.This act is known and may be cited as the South Carolina Insurance Data Security Act.

SECTION2.Title 38 of the 1976 Code is amended by adding:

CHAPTER 99

South Carolina Insurance Data Security Act

Section 389910.As used in this chapter:

(1)Authorized individual means an individual known to and screened by the licensee and determined to be necessary and appropriate to have access to nonpublic information held by the licensee and its information systems.

(2)Director means the Director of the Department of Insurance or his designee.

(3)Consumer means an individual including, but not limited to, an applicant, policyholder, insured, beneficiary, claimant, and certificate holder who is a resident of this State and whose nonpublic information is in a licensees possession, custody or control.

(4)Cybersecurity event means an event resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system. It does not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process or key is not also acquired, released or used without authorization. It also does not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

(5)Department means the Department of Insurance.

(6)Encrypted means the transformation of data into a form which results in a low probability of assigning meaning without the use of a protective process or key.

(7)Information security program means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.

(8)Information system means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial or process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

(9)Licensee means an insurer, insurance broker, or an insurance producer but does not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

(10)Multifactor authentication means authentication through verification of at least two of the following authentication factors:

(a)knowledge factors, such as a password; or

(b)possession factors, such as a token or text message on a mobile phone; or

(c)inherence factors, such as a biometric characteristic.

(11)Nonpublic information means information that is not publicly available information and is:

(a)business related information of a licensee the tampering with which, or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee;

(b)information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with the consumers:

(i) social security number;

(ii)drivers license number or nondriver identification card number;

(iii)account number, credit or debit card number;

(iv)security code, access code, or password that would permit access to a consumers financial account; or

(v)biometric records;

(c)any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer and that relates to:

(i) the past, present or future physical, mental or behavioral health or condition of a consumer or a member of the consumers family;

(ii)the provision of health care to a consumer; or

(iii)payment for the provision of health care to a consumer.

(12)Person means any individual or any nongovernmental entity including, but not limited, to a nongovernmental partnership, corporation, branch, agency, or association.

(13)Publicly available information means information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records, widely distributed media, or disclosures to the general public that are required to be made by federal, state, or local law. For the purposes of this item, a licensee has a reasonable basis to believe information is lawfully made available to the general public if the licensee has taken steps to determine:

(a)that the information is of the type that is available to the general public; and

(b)whether a consumer can direct that the information not be made available to the general public and, if so, that the consumer has not done so.

(14)Risk assessment means the risk assessment that each licensee is required to conduct under this chapter.

(15)State means the State of South Carolina.

(16)Thirdparty service provider means a person not otherwise defined as a licensee that contracts with a licensee to maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.

Section 389920.(A)A licensee must develop, implement, and maintain a comprehensive written information security program based on the licensees risk assessment that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensees information system. The program must be commensurate with the size and complexity of the licensee, the nature and scope of the licensees activities including its use of thirdparty service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensees possession, custody, or control.

(B)A licensees information security program must be designed to:

(1)protect the security and confidentiality of nonpublic information and the security of the information system;

(2)protect against threats or hazards to the security or integrity of nonpublic information and the information system;

(3)protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to a consumer; and

(4)define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.

(C)The licensee shall:

(1)designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee as responsible for the information security program;

(2)identify reasonably foreseeable internal or external threats that could result in the unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information including the security of information systems and nonpublic information that are accessible to or held by thirdparty service providers;

(3)assess the likelihood and potential damage of these threats, considering the sensitivity of the nonpublic information;

(4)implement information safeguards to manage the threats identified in its ongoing assessment, and at least annually assess the effectiveness of the safeguards key controls, systems, and procedures; and

(5)assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, taking into consideration threats in each relevant area of the licensees operations, including:

(a)employee training and management;

(b)information systems, including network and software design, and information classification, governance, processing, storage, transmission, and disposal; and

(c)detecting, preventing, and responding to attacks, intrusions, or other systems failures.

(D)Based on its risk assessment, the licensee shall:

(1


Final Section1

Final Section1

Documents
Chapter 10 section1-2

Chapter 10 section1-2

Education
CFD Trading Guide Section1

CFD Trading Guide Section1

Documents
Section1 instructions to bidders

Section1 instructions to bidders

Engineering
Chapter 8 section1-2

Chapter 8 section1-2

Business
Section1: Compressible Flow: Historical Perspective and ...mae-nas.eng.usu.edu/MAE_5420_Web/section1/section1.pdf• Modern Supersonic aircraft compensate for “Mach Tuck”! Using

Section1: Compressible Flow: Historical Perspective and ...mae-nas.eng.usu.edu/MAE_5420_Web/section1/section1.pdf• Modern Supersonic aircraft compensate for “Mach Tuck”! Using

Documents
Chapter6 section1 3

Chapter6 section1 3

Education
Section1 Nore

Section1 Nore

Documents
Wcs eBook Section1

Wcs eBook Section1

Documents
Section1 Science New Paradigms

Section1 Science New Paradigms

Documents
Section1 Final Slides

Section1 Final Slides

Documents
Section1 (1)

Section1 (1)

Documents
Section1 Business Plan

Section1 Business Plan

Documents
Section1 storage system

Section1 storage system

Documents
Section1 Notes

Section1 Notes

Documents
Section1-1 Africa Geography

Section1-1 Africa Geography

Documents
Section1-Energy Commodities Intro

Section1-Energy Commodities Intro

Documents
Section1 - Updated

Section1 - Updated

Documents
Pleasanton Weekly 04.30.2010 - Section1

Pleasanton Weekly 04.30.2010 - Section1

Documents
CHAPTER 16 SECTION1

CHAPTER 16 SECTION1

Documents
description: tags: Section1

description: tags: Section1

Documents
Section1 Paint Definitions

Section1 Paint Definitions

Documents
Dd Notes Section1

Dd Notes Section1

Documents
JavaFundamentals Section1

JavaFundamentals Section1

Documents
Catalogo PCB Section1

Catalogo PCB Section1

Documents
Thermodynamics (Section1 2)

Thermodynamics (Section1 2)

Documents
Grade80 100 section1

Grade80 100 section1

Documents
Section1 TB METEO

Section1 TB METEO

Documents
Section1 Cost

Section1 Cost

Documents
VIEWS 06.2011 - Section1

VIEWS 06.2011 - Section1

Documents