RCR 003: South Carolina Insurance Data Security - CISSP Training

Description:  

Cybersecurity Snapshot Topic: South Carolina Data Security Act Overview:

This is the beginning of the states taking a proactive approach to transfer the risk to businesses and through regulations. Common Occurrence – China, EU, Spain, Various States, etc…. GDPR for the US is coming….but that is for Data Privacy EU Cyberlaw that will be hitting the end of the year….Focused on Data Transfers, along with other items It is all coming, so you better be prepared to REDUCE YOUR CYBER RISK!

Details: Quote: Justin Orcutt - The South Carolina Insurance Data Security Act was signed into law on May 14th, 2018 by South Carolina Governor Henry McMaster. It’s the first piece of cybersecurity legislation ever to be passed in the United States aimed at covering the insurance industry.

Insurance Data Security Model – Drafted by the National Association of Insurance Commissioners in 2017 Similar to the Alabama Breach Law, NYDFS Law, etc Official January 1, 2019, but all the requirements don’t hit until 2020 Interesting tidbit:

-All Licensees of the South Carolina Department of Insurance must have a “comprehensive, written, cybersecurity program” in place -Insurers, agents, other licensed entities, plus real-estate lawyers who are also real-estate agents

-Cybersecurity Program -Breach Response plan – 72 hours (YEA BABY) -BIGGIE: Designate Individual, Third Party, or Affiliate who is responsible for your program

-Can there be more!!!! --250 vs. HIPAA’s 500people -Investigate Promptly and records must be retained for 5 years It goes on…..

Recommendation / Outcome:

-Read the law and determine if it affects you and your business

-Look for resources to help you build out a program, designate a person, etc.

-Legal counsel on the best course of action to ensure you meet the law -Cybersecurity advice who can work with legal counsel and your business

-Utilize the training that I am building for this very situation!

Links: https://www.scstatehouse.gov/sess122_...

https://www.linkedin.com/pulse/south-...

Transcript:

Welcome to the reduce cyber risk podcast where we give you the tools you need to meet your regulatory requirements while helping keep the evil hacker hoarded Bay Thai my name is Sean Gerber and I'm your host for this action packed in Florida podcast join me each week cuz I provide the information you need to best protect your business and reduce your company cyber risk California and now it's happening with South Carolina and Alabama it's it's basically telling the federal government they better come up with something if not you have all these states are going to do something that's very different and in the past what typically happen is California is used as the the litmus test if you would purse Aid on how we're going to go forward with these kind of regulations either Maryland or it's California this is going to be another one of those little dead going to add up the California act that the Privacy Act that's past doesn't really get into the cybersecurity pieces of this however what it really does do is it kind of goes into the Privacy aspects of it now it just it was going to be interesting I'm talking through this talk about real quick here is how this is affecting South Carolina and how it is based on the insurance within South Carolina that is comes from a quote from a Justin Orcutt and I'll have his Link in the in the show notes but it's on the South Carolina Insurance data Security Act Now quote it was signed into law on May 14th 2018 by South Carolina Governor Henry McAllister piece of cyber security legislation ever to be passing United States aimed at covering insurance industry so this is the insurance and just picked this cybersecurity Act II to start working now to set the record straight on some of this the insurance data security model that they came up with nasik Nana is Seattle Association of insurance Commissioners pay in 2017 cyber security plan and it's a model by which people can Implement and states can Implement so the national one came up with an idea on how to do this program as a result each state would come up with their own type of program well so what happened South Carolina took the lead and did it and it's so this is based on what they've got coming out of the wall it's also kind of follow suit with what happened when the New York New York nydfs the New York Department of Financial Services and they have their own Security Programs as well so it's basically taking you are as a business owner got a build you got to build a security program exactly there are some guidance around that on what you can do to build a security program but if you don't or cybersecurity person you're probably gone I have no idea if you're a small-business you like what is that so this is going to affect businesses that have less than 250 people 250 insures so if you have a business that's got more than 250 people that you are ensuring you have to cover this now put in perspective HIPAA has got it where the rules don't apply to you unless you have 500 or more as in your their personal data so this is what the numbers to 50 Alabama brick it's similar to the Alabama breach law and the New York Department of Financial Services law in that they require some level of ownership around security Now the official date is January 1st 2019 and but all the all the requirements don't hit till 2020 but a big chunk of them will hit you in January of 2019 so if you are a business and insurance business within that state of South Carolina you better take notice cuz this thing's going to be marching down the path that you're going to have to comply with it now you have to take the risk of your business to go am I going to comply or am I just going to wait to see what happens so I usually would air towards the side of conservatism however knowing full well that this is coming out in January 2019 they're probably not going to have all the people in need in place to help you get you to where you need to be so it'll be interesting to see how strict they are on this piece of it I'll tell you that right now you should do for you and your business but bottom line is you better be prepared for it and you better be planning to deal with it somehow so what it comes down to is B is it all licensees of the South Carolina Department of Insurance must have a comprehensive once again written cyber security program in place big word written on paper clocks ticking so I would recommend that you get some some help with this and just based on insurance agents and other licensed entities plus the real estate lawyers who are also in real estate agents so if you're in the insurance business and you got over 250 people that are in your agency which basically means you got your covering that many people write all your underwriting or however the big term goes in that I'm not real sure but their insurance this would fall on you in South Carolina she got a bill cyber security program the cool part about this is there are examples on how to do this DFS has a plan ffiec has a plan has a plan the National Institute of Standards and technology has a plan and what these are these are Frameworks which is basically guidelines on a hot what you should do to get a security program in place now here's a got you on what exactly you're trying to accomplish as I just proved I don't know a whole lot about insurance right I don't know the terms I still struggle with premiums why is that a good thing I don't get it why is a bonus thing right as an insurer need to understand what are the terms to protect your bill create some Security Programs you can have some training is going to coming out on this in the coming weeks around creating a security program for your business you can tailor this program you can use it for your business you can use the document that I create with this program for your business a lot of that can be taken and duplicated along with it just go do it the one thing you're going to have to deal with though is it does require you to have an individual who is responsible for security within your organization now can be a employee it can be a third party or can be a other vendor type that can be your you're responsible party for security so you have to start thinking about that who would that person be no whining cybersecurity people that are worth their salt are expensive need to think about the different options that are available and we'll talk about that on the podcast as well and in these training videos on what are some options for you Unity of a breach response plan your breach response plan has to be 72 hours know that falls in line with gdpr is that within 72 hours you have to have this demonstrated and done now that's different than what China we talked about in the last bit of the videos if you have business in China is 24 hours that's hard 72 hours is hard for 2 hours then see how things play out with all this stuff is in you maybe I don't want to do a program this is stupid it's compliance it's no fun it's just paperwork you're right however the challenge comes into his this they want to know that you are taking responsibility for the security of your business and their security of your the people that are entrusted to you and what's going to happen is if this is the way the state is pushing liability on to you you don't do it deal with some legal issues can you follow what they ask me to do affiliate that's what it's called there's also many more we talked about the 250 versus hippos 500 people also talked about investigating promptly and records must be kept for five years that's if you get bonus if he had breached his attacker term for phone it just your phone your own right so that's the key number one read the law the law understand it's about 20 pages long lots of Laurel illegal illegally stuff in there but you can dig it out okay nothing is as you probably want to get a legal counsel to help you with it okay I understand what's going on I know that the insurance commission is going to have his providing some guidance around this how did recommend you get some get up on that and learn some of that stuff again it's your business you decide what it's worth real people out of program will help you no problem but there's other resources out there that can help you with that as well and then also get cybersecurity advice from people who can work with you potentially work with your legal counsel as well so having a good legal counsel and cybersecurity than you're making money right your business however you're going to pay some money for that but then you're good getting cyber security and legal together working together to help you that's a benefit that's a bonus and I would recommend that as well what's best for you and then again I come back to you like the train that I start putting out product is built I just got to go record it and you'll have it here soon enough but it'll be a way to help you now is it going to be to the level that nist has and every fine detail and it's going to be the big daddy dog of Security Programs for Raleigh not is it going to be something that's going to get you in compliance with this law they talked about the fact that it needs to be comprehensive piece of paper just think about that again this is the South Carolina cyber-security South Carolina data Security Act and they'll be links doing the show notes on what you and go click on it and go from there you can also go see Justin's link as well to the article that he put out any just really good job of talking about some of the stuff bottom line is the bottom bottom line more and more so you better be prepared for it if you are unsure okay your insurer was that telling it yeah you're an agent or other license entities plus your real estate lawyer or who has real estate agents it's you baby is coming for you so you better be prepared all right I hope you enjoyed this I hope you like this pictures of on the website as well and other than that just email me let me know and I'll be happy to answer some