Are You in Good Hands: South Carolina’s New Data Security Act and Whether It Does Enough to Protect Insurance Consumers
Zachary B. Randolph*
On Friday, October 26, 2012, the former Governor of South Carolina, Nikki Haley, announced that the South Carolina Department of Revenue (SCDOR) experienced a cybersecurity breach in which hackers stole massive amounts of personal information. The cyberattack, the largest South Carolina state agency breach in history, resulted in the theft of 3.8 million Social Security numbers, 387,000 credit and debit card numbers, and nearly 3.3 million bank account numbers. Roughly sixteen days prior to this public announcement, the SCDOR became aware of the data breach when law enforcement provided evidence that hackers stole three individuals’ personal information. The SCDOR contacted an information security firm, Mandiant, to conduct an investigation and determine the cause, extent, and implications of the security breach.
Mandiant reported that it believed a phishing e-mail caused multiple SCDOR employees to click on an embedded link within the e-mail that executed malicious software on the computer and ultimately allowed the attacker to steal the employees’ usernames and passwords. The attacker then remotely accessed the SCDOR server, using the credentials from those employees who clicked on the malware link. After logging into the SCDOR server, the hacker used those employees’ access credentials to infiltrate the other servers.
The investigation revealed that the attackers used thirty-three pieces of malicious software and compromised forty-four systems. For over two months, nobody in the SCDOR was aware that a hacker breached the servers and stole taxpayer files, many of which lacked encryption safeguards. Although a containment plan prevented the attackers from regaining access to the SCDOR servers, the information was gone. After the investigation concluded, Mandiant and government officials determined that the SCDOR lacked essential security protocols, such as minimal encryption of the data it housed, inadequate breach detection safeguards, and single-factor authentication to access data.
Although the SCDOR did not publicly disclose the total cost of the breach, the agency took out a $20.1 million loan with the state Insurance Reserve Fund to guarantee free credit monitoring for individuals directly affected by the breach, implement encryption and dual passwords at the SCDOR, and give direct notification to taxpayers about the breach. In response to the breach, the SCDOR implemented new security protocols, including more specialized employee training on data security, more extensive monitoring of software capabilities, and enhanced firewall technology to protect the system from outside threats.
This data breach, along with other notorious data breaches in recent history, led the South Carolina General Assembly, and now Governor Henry McMaster, to be the first state in the country to sign an insurance cybersecurity bill into law. The South Carolina General Assembly passed the Insurance Data Security Act (IDSA) to regulate data privacy within the state’s insurance industry.The IDSA requires that the industry most vulnerable to cybersecurity threats must implement standardized data security protocols to equip insurance companies with the ability to protect their consumers’ personal information. Specifically, insurance licensees must implement not only the standardized protocols that the IDSA provides (investigation, notification, and penalty protocols) but also a “comprehensive written information security program” that the IDSA must approve.
Insurance companies are prime targets for hackers seeking to make a profit because, although some insurance entities may have money (or cryptocurrency), which they often protect heavily, all insurance entities possess their customers’ personal information, which they protect less rigorously. Because inadequate security renders this personal information much easier to access, hackers may steal a higher quantity of it and subsequently sell the information on the dark web.
Data security is an essential part to any business that collects and stores sensitive data. Without up-to-date data security measures, any business is susceptible to a data breach that could damage the business’s financial capabilities, reputation, and ability to continue operations. Due to a lack of universal federal regulation concerning cybersecurity and data protection, states are left to create a patchwork of protections, often regulating only individual industries. While the National Association of Insurance Commission’s (NAIC) Model Law was a key influence on the IDSA, New York’s recent legislation concerning data security within the financial industry (New York Cybersecurity Requirements) heavily influenced the NAIC’s Model Law.
Although the IDSA provides straightforward steps on how licensees should implement data security, such as requiring boards of directors to implement data security plans and listing items that the those plans must include, it does not provide direction for insurance licensees to effectively and efficiently implement these data security protection standards. Furthermore, the current construction of the IDSA will have broad reaching effects, both legal and economic, on the insurance industry in South Carolina.
This Comment argues that the IDSA, although it may help prevent data security breaches in the future, leaves insurance licensees exposed to increased legal liability and economic cost beyond what is justified to incentivize improved data security. Part II introduces background information concerning the issues of cybersecurity and the IDSA, including a survey of recent major data breaches across varying industries, information regarding typical cybersecurity breaches, and a brief comparison between the IDSA and its contemporaries. Finally, Part III introduces the IDSA’s key provisions and analyzes whether these provisions will be successful in combating data breaches and whether the IDSA’s standards will be able to keep up with the technological changes in cybersecurity.
Contemporary businesses do not simply house data; they are data. This data is valuable because it enables businesses to improve their services, generate more revenue, and enhance operations. With more companies collecting more data, it is only fitting that more data breaches will occur. Between 2018 and 2019, there was a dramatic increase in breached records, reaching over four billion.
Three recent and major data breaches include those committed against Anthem Medical Insurance, Yahoo, and Uber. On February 18, 2014, hackers gained access to Anthem’s database through a spear-phishing expedition by targeting key employees through false e-mails that contained malware allowing the hackers to gain remote access to other systems within Anthem’s enterprise. Over the next several months, the hackers used a key employee’s credentials to move about Anthem’s systems and gain access to more information. Eventually, the hackers found Anthem’s data warehouse containing personal consumer data. The breach exposed nearly 78.8 million records, containing a wide variety of consumer information. Anthem was unaware of the breach until January 27, 2015, when an Anthem administrator discovered his credentials being used on a task he did not initiate. Although Anthem acted quickly and notified the FBI and the public, the damage was already done. Due to the nearly 80 million records exposed, Anthem incurred significant costs related to its data security breach.
In 2019, the “Justice Department unsealed an indictment of two Chinese nationals” for the Anthem data breach. Because no Anthem information entered the dark web, where personal information is often sold, authorities believe there was an ulterior motive for the stolen information. Based on one leading theory foreign governmental authorities used this information to track, investigate, and root out international covert activities. Regardless of the reason for the stolen information, Anthem paid a heavy price for the data breach.
Although the Anthem breach is the largest to affect the insurance industry, the Yahoo data breaches that occurred in 2013 and 2014 greatly surpass it in size. These breaches affected 1.5–3.0 billion Yahoo account users. In August of 2013, unknown attackers breached Yahoo’s computer systems, where the company stored consumer data such as login information and personal data. This information provided the hackers access to the contents of Yahoo users’ e-mails, which likely contained other sensitive personal and financial information. Although investigators are not certain exactly how the breach occurred, they believe that Yahoo’s outdated encryption technology and procedures led to the documents’ exposure. It was not until the summer of 2013 that Yahoo started implementing updated encryption of its data.
In 2014, Yahoo suffered another cyberattack. Russian nationals targeted high-level Yahoo employees through a spear-phishing campaign and exposed over 500 million accounts during this breach. Yahoo disclosed both the 2013 and 2014 attacks to the public in December of 2016 when Verizon was negotiating to purchase Yahoo for $4.8 billion. This led to a dramatic decrease in price by $350 million and an overall 1.3 billion dollar drop in Yahoo stock.
Uber suffered a more recent data breach in late 2016. The breach occurred when an Uber employee posted the company’s access key online. Targeting one of Uber’s cloud-based service providers, a hacker used the key to access unencrypted files that contained millions of Uber driver and rider information. Uber failed to disclose the breach until November 2017, when the new CEO issued a press release advising of the attack. There is debate concerning whether Uber attempted to conceal the data breach when it paid the hackers $100,000 to delete the stolen data instead of reporting the breach, as required by notification laws. The data breach resulted in Uber’s settling a class action suit for $148 million.
Although these events represent only a few of the major data security breaches in recent years, it is clear that data security breaches greatly affect businesses’ financial liability and can cause irreparable harm to a business’ reputation. Furthermore, not all data security breaches concern large, well-known companies. In fact, in 2017 the majority of reported data breaches affected those considered small businesses. With the increasing number of data security breaches, it is important to be aware of the different tactics hackers use to infiltrate security systems to gain access to protected information.
A data breach may have several different definitions; however, the vast majority of data breaches occur using a variation of hacker technology called malware. Malware is a collective term for an array of malicious software variants, including the following: viruses, worms, ransomware, spyware, and Trojan viruses. A virus is the most common type of malware, where the virus attaches its malicious code to a host system and waits for the code to be activated, where it then spreads quickly, causing damage to the system’s functionality and possibly locking down or destroying files. A worm, on the other hand, does not need a host system to cause damage because a worm replicates its own code to find and infect other computer systems. Ransomware is malware designed to lockdown entire systems. It denies authorized users access to the system until they pay a ransom to the attackers to release the system. Spyware is designed to operate in the background of the computer system where it collects and stores information without the user’s knowledge. Trojans, a variant of spyware, are embedded in software applications or the computer system. When the application or system is in use, the Trojan is performing an unauthorized action without the user’s knowledge. Finally, phishing is a process that attempts to trick e-mail recipients into clicking hyperlinks or attached files that contain malware. Although many phishing probes are easy to spot, some phishing attacks are more difficult to discern. Spear-phishing campaigns are more troublesome to spot because they are specifically targeted to the recipient to masquerade as a known or trusted sender. Although these are common ways hackers gain access to secured data, malware is continuously evolving in order to bypass new security measures, making data security especially difficult for individuals and businesses. Even though it is nearly impossible to protect businesses from all data security breaches, businesses can implement several security protocols—such as encryption, endpoint lockdown, multifactor authentication, and employee date security training—that can slow down a hacker’s ability to retrieve and use protected data.
As infiltration technology and the counter measures created to combat those infiltrations become more sophisticated, hackers often look for targets that have minimal or outdated security measures but who also house large amounts of personal or business information. Even though anyone operating on the internet or within a network system can fall victim to data breaches, experts consider insurance companies and small businesses, in particular, to be among the top targets for hackers. While cyber criminals may seek to steal cryptocurrencies from financial institutions, these assets are heavily guarded and difficult to extract successfully. Although small businesses and insurance entities seldomly house excessive amounts of cryptocurrency, they do house copious amounts of personal information, making them attractive targets for cyber criminals. These types of companies are “soft targets” because, while other industries have dedicated significant time and resources to implement procedures to protect against data breaches, the employees lack awareness training in this regard and often cannot pay for the cybersecurity systems necessary for its enterprise. This bullseye on insurance entities led South Carolina to be the first state to adopt insurance industry data security legislation which requires insurance entities to implement data security measures to protect consumer and business information.
The IDSA is heavily influenced by the NAIC’s Model Law (Model Law), as both establish a legal framework that provides a minimum floor for cybersecurity within the insurance industry. This framework requires insurance licensees to conduct an assessment concerning the cybersecurity risks the company may be subject to. Based on this risk assessment, the insurance entity must “develop, implement, and maintain a comprehensive written” security program that provides extensive safeguards to protect personal nonpublic information. The information security program effectively creates an objective floor for mandatory compliance, but it does not mandate a particular subjective ceiling, allowing flexibility for the licensee to go beyond the IDSA’s minimum standards to provide further security. One of those subjective standards is the development of an information security program that is commensurate with the size and complexity of the covered entity’s business activities. If the covered entity engages in business that collects a vast amount of nonpublic information, the covered entity must develop and operate its information security program in light of the vast amount of information. Furthermore, if the covered entity’s business operations or internal information system is complex, its information security program must account for the increased possibility that breaches may occur with increased complexity.
The IDSA and Model Law provide strict mandates upon covered insurance entities to assess and determine whether the procedures within their written security plans are sufficient for the entities to comply with the following: protect all nonpublic information through encryption, regularly test and monitor security systems and procedures, and implement authentication procedures to access information. The IDSA and the Model Law also provide strict requirements on insurance entities to conduct an investigation if a data breach has occurred or if the entity thinks an event may have occurred. The investigation must accomplish the following: determine whether a cybersecurity event occurred, assess the nature and scope of the event, identify the information that was involved in the event, and “perform reasonable measures to restore the security system that was compromised by the event.”
The IDSA and Model Law’s primary objective is to protect nonpublic information. A covered entity’s entire data security program and risk assessment is largely dependent on the type and amount of nonpublic information it collects and carries. Publishing similar definitions, the IDSA and the Model Law define nonpublic information as information that is not publicly available, thereby excluding information such as records made available to the public by any level of government and records distributed through the media. Nonpublic information under the IDSA and Model Law departs somewhat from traditional data security legislation because it includes both consumer information and “certain business-related information.” This definition is expansive and broad, providing that the business-related information requires protection under the IDSA if it “would cause a material adverse impact to the business, operations, or security of the licensee.” Like business-related information, traditional consumer information also requires protection. Traditional consumer information includes Social Security numbers, driver’s license numbers, credit and account numbers, security codes or passwords, and any information collected by a healthcare provider, except for age or gender. The nonpublic information definition implicitly excludes those entities who do not carry such information; however, this exclusion is effectively obsolete due to the vast quantities of consumer information insurance entities possess.
Along with the implementation of security programs and the investigation of cybersecurity events, the IDSA and Model Law also require covered insurance entities to notify the state’s Director of the Department of Insurance (Director) within seventy-two hours after determining that a cybersecurity event has occurred. This provision does not supersede other state notification laws concerning consumer information, meaning that insurance entities are required to notify both the Director and the consumer when a breach occurs. Other important provisions within the IDSA and Model Law include bestowing the Director with the authority to investigate and examine covered insurance entities and to determine whether they engaged in conduct that violates the law. If a covered entity violates the statute, then the Director can levy a fine up to $15,000, or $30,000 if it acted willfully in violating the statute.
There are exceptions under the IDSA and Model Law. A covered insurance entity is exempt from the program if it has fewer than ten employees, including independent contractors; the entity has coverage under another entity’s security program; or the covered insurance entity follows the Health Insurance Portability and Accountability Act (HIPAA) requirements. It is important to note that these provisions do not exempt those covered entities from the entire statute; rather, they only provide exemptions for complying with the security program development, implementation, and maintenance. While the IDSA follows closely in line with the NAIC’s Model Law, New York’s Cybersecurity Requirements influenced much of the language adopted in the Model Law, which the New York State Department of Financial Services (DFS) promulgated to provide cybersecurity regulations for New York’s financial industry.
The New York DSF promulgated the Cybersecurity Requirements to protect consumers and itself from cybercriminals by instituting regulations that require covered entities to assess the specific risk profiles of their networks and design a cybersecurity program to mitigate those risks. Like the IDSA, the New York regulations focus on finance institutions implementing a cybersecurity program based on a risk assessment, based on oversight of third-party service providers, and based on submissions of written certification of compliance. Also like the IDSA, New York’s Cybersecurity Requirements broadly define nonpublic information, and both have seventy-two hour notification requirements. This means that covered entities, under both articles of law, must be quick and organized in order to adhere to this strict notification mandate. This provision encourages covered entities to create and implement effective detection procedures within its security program. Furthermore, both the IDSA and New York’s Cybersecurity Requirements offer some similar exemptions. Although the IDSA and the New York regulations tackle many of the same issues, there are numerous differences between the two pieces of law.
One area in which New York’s Cybersecurity Requirements and the IDSA differ is how the two define key terms. For example, under New York’s regulations, “cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.” On the other hand, “cybersecurity event” under the IDSA provides safe harbor provisions which permit a covered insurance entity not to disclose certain events that fall outside of the definition.
Perhaps the most noteworthy difference is the flexibility offered with the IDSA as compared to the New York Cybersecurity Requirements. Although both mandate substantial requirements to covered entities, the IDSA provides more “flexibility to choose security measures appropriate for their size, resources[,] and the nature of the security risks they face” as compared to the New York Regulations.
This background concerning the IDSA’s creation and adoption is important in order to grasp the recent landscape of cybersecurity laws and provisions. With the heavy influences from the Model Law and the New York Cybersecurity Requirements, the IDSA embarks to protect insurance entities within South Carolina and its residents from the ever-increasing threat data breaches levy on both consumers and businesses. However, the question remains whether the IDSA will be effective in combating this threat.
Part III analyzes select provisions of the IDSA and addresses potential issues regarding whether the IDSA does enough to protect consumers. The IDSA implements many provisions that purport to provide better information security and provide protection to both consumers and business information. However, a more in-depth analysis into these provisions presents a more nuanced reality for both consumers and regulated licensees. In this part, we will determine whether these provisions better protect consumer and business information, and whether they are holistically better for the consumer, the insurance company, or both.
The IDSA governs licensees, which include every business entity or person subject to the license requirements under Title 38 of the South Carolina Code: insurance companies that sell insurance policies, insurance producers and agencies, insurance brokers, and public insurance adjusters. However, other entities not commonly thought to be subject to the South Carolina insurance laws include rental car companies, self-storage facilities, and bail bondsmen and runners. Currently, it is unclear whether these entities must adhere to the IDSA requirements. Although numerous entities are subject to the IDSA, the legislation does provide several exemptions to licensees who do not have to comply with creating, maintaining, and implementing an information security program.
As noted above, one of these key exemptions includes licensees who have fewer than ten employees. The South Carolina General Assembly added this provision because the state has a relatively low number of licensees employing fewer than ten employees; otherwise, the IDSA would have little effect if it did not cover a vast majority of the licensee population. The top ten insurers of automobile insurance and the top ten insurers of homeowners insurance within South Carolina, two of the most widely purchased insurance products among consumers, account for over 87% and 66% of the state’s insurance market respectively. These top ten companies—State Farm, Nationwide, Progressive, Allstate and others—each employ well beyond the cutoff number to qualify for the exemption. Although homeowners licensees likely include companies who have less than ten employees to qualify for this exemption than automobile licensees—based upon South Carolina’s total insurance market share—it is likely that second- and third-tier insurance companies (regarding employment numbers) form a majority of the South Carolina market not within the top insurers’ control. This assumption falls in line with the purported purpose of the IDSA, in that it protects consumer information from cyber threats. The South Carolina Department of Insurance (SCDOI) should target those licensees who cover the most South Carolina residents, which would include the top- and mid-tier insurers.
This analysis then begs the questions—What will happen to these small licensees? Because the IDSA exempts licensees having fewer than ten employees, it leaves those licensees with two options moving forward: choose to invest in an information security program or take advantage of their exempt status by not implementing an information security program. However, one of these choices is detrimental to a small licensee’s future whereas the other may save it. If a licensee chooses not to invest in information security, its customers are likely to move their businesses from that licensee to one which has invested in an information security program. Therefore, although the IDSA exemption provision does not require small licensees to comply with the information security program provision, it does heavily incentivize these licensees to invest in information security because, otherwise, they will risk losing business opportunities. Although consumers may not know of the small licensee’s security programs because such programs often appear within a contract’s fine print, which the consumer seldomly reads, with the rise of cybersecurity and data breach events in the media, it is likely that more potential customers would investigate further to discover what security initiatives are in place. Furthermore, assuming that the IDSA exemption applies, a small licensee still faces subsequent liability if a data breach occurs because a consumer could use the reasons for that breach, such as objectively inadequate security protocols, to show a lack of due care towards the consumer.
The fear for these small licensees is in bearing the cost necessary to implement expensive information security initiatives in order to save business. The average cost of implementing an information security program can be substantial, and the costs after an incident could be catastrophic. However, because the IDSA provides an exemption for small licensees, they are not required to follow the rigorous mandates put forth in the IDSA. Small licensees are free to invest as much or as little as they desire into information security, allowing them to operate their businesses as they improve their security measures. Allowing small businesses to improve their information security at their own pace, in turn, is beneficial for both the insurance industry and the consumer. The consumer benefits because they now have more options in the insurance market, and they also benefit because small licensees are incentivized to invest in information security programs. Although it appears the insurance industry, at least those top insurers, is worse off because of the increased competition in the marketplace, it actually may benefit from this provision. More insurers in the market means more market distribution. Top insurers can be more selective concerning their underwriting processes, marketing themselves to a more select group of consumers who have lower risk profiles. This benefits top insurers’ overall premium income because they are not forced take on more risky insureds.
A cybersecurity event is the “unauthorized access to or the disruption or misuse of an information system or the information stored on an information system.” The definition implicitly excludes those entities who do not store electronic information on an information system because the IDSA only requires protection of data on these electronic information systems. This definition also provides two safe harbor provisions that are not considered “cybersecurity events,” which means that covered entities would not have to report such events to the Director.
The first safe harbor provides that covered entities do not have to report an event if it includes the “unauthorized acquisition of encrypted nonpublic information,” and the encryption, process, or encryption key is not acquired or released without authorization. The definition essentially provides a safe harbor for unsuccessful cyberattacks on a covered entity’s information system. Furthermore, although this definition is in line with the NAIC’s Model Law, it is significantly narrower in scope compared to the New York Regulations.
The second safe harbor equates to a good faith mistake on behalf of the covered entity. Under this provision, a cybersecurity event does not occur if the breached nonpublic information, “has not been used or released and has been returned or destroyed.” In this scenario, a “cybersecurity event” is not triggered, and the covered entity does not have to notify the Director.
The IDSA requires a licensee to notify the Director within seventy-two hours of a cybersecurity event in one of two scenarios: (1) if the licensee is domiciled in South Carolina or (2) when the licensee reasonably believes at least 250 South Carolina residents’ nonpublic information is involved, and the licensee is required to notify any governmental branch or agency, or the cybersecurity event has a reasonable likelihood of materially harming consumers or the licensee’s business. This provides a slightly narrower notification requirement for non-domestic licensees versus domestic licensees. However, notification to the Director is unnecessary if the incident does not classify as a cybersecurity event. Recall, a cybersecurity event does not include instances when the acquired nonpublic information is encrypted and when the encryption key or process is not acquired. In effect, an unauthorized user could steal a licensee’s entire encrypted stockpile of nonpublic information—its credit information, employees’ social security numbers, customers’ home addresses—without the licensee needing to report the event to the Director so long as the perpetrator did not access the encryption key.
Furthermore, recall that a cybersecurity event does not include incidents where the licensee determines that the unauthorized access of nonpublic information was not used or released, and was returned or destroyed. The IDSA does not provide any criteria or guidelines for a licensee to determine whether the nonpublic information was used or released. It places the discretion in the hands of the licensee itself, the party that appears to have a conflict of interest in notifying of such an incident.
These safe harbors and notification requirements ultimately hurt the consumer. Due to these safe harbors and notification restrictions, licensees do not need to notify the Director of certain types of data breaches despite the licensee’s information security plan being compromised. This deprives the Director the opportunity to examine and determine whether theses licensees comply with the IDSA. Although the South Carolina Code requires businesses to report such breaches to consumers, this notification is a retrospective remedy and does not incentivize licensees to protect customer information until a breach has already occurred. If the Director was able to examine a licensee after one of these unreviewable breaches occurred, it could lead to the Director’s discovering weak points in the licensee’s information security program without levying an administrative penalty against it. However, because these safe harbors do not require reporting, the Director is not aware of these breaches, which may lead to less examinations of the licensees that need it the most. Thus, this provision does not promote the protection of consumer information.
The IDSA provides a provision that penalizes a covered entity for failing to comply with its provisions. The provision states that an insurer who violates the IDSA is subject to an administrative penalty of no more than $15,000, license revocation, or both. However, if the insurer commits a willful violation, the penalty increases to be not more than $30,000, license revocation, or both. If the violator is a person, the penalty for noncompliance is no more than $2,500, and for willful noncompliance, the penalty will not exceed $5,000, with the threat of license revocation present in both scenarios. The IDSA penalty provision works in tandem with another provision that allows the Director to examine a licensee’s affairs for violations and allows the Director to enforce the IDSA. Worth noting, the IDSA’s administrative penalties are in addition to any other “criminal penalties provided by law or any other remedies provided by law,” and they do not preclude other criminal or civil proceedings from taking place before, during, or after the administrative proceeding. However, the IDSA also declares that the documents and materials collected by the Director during an examination of a covered entity are confidential by law, precluded from disclosure, and are neither discoverable nor admissible in a civil action. In order to incentivize licensees to comply with the IDSA’s mandate, the Director threatens to levy these administrative fines on the licensee. However, this administrative fine is not steep enough to convince licensees to comply with the IDSA, and the consumer will ultimately be subject to its ramifications.
The IDSA enforcement provision will end up targeting mid-tier licenses because the larger licensees likely do business in not only South Carolina but also in other states, like New York, which require more stringent cybersecurity standards. If these larger South Carolina licensees are doing business in New York, and if these licensees can also satisfy the IDSA requirements by complying with the New York Regulations, then the IDSA effectively is not targeting these larger licensees because they are adhering to stricter requirements. Furthermore, these larger licensees are likely already in compliance because they have larger budgets to invest into cybersecurity and information security programs due to their expanded product lines, larger consumer bases, and more sophisticated and complex information systems. New York may have arguably set the standard for data security due to its more extensive requirements for these larger licensees, but the New York Cybersecurity Requirements would likely not apply to the mid-tier licensees who do not do business outside of South Carolina or the Southeast. Furthermore, even if these larger licensees were not in compliance with the IDSA, the penalty levied against these companies is inadequate to deter future noncompliance due to the high amounts of revenue these companies collect. Due to the fact that the top insurers provide insurance products to the vast majority of consumers in South Carolina and because these licensees are likely already to be in compliance with the IDSA, these realities leave the minority of the South Carolina insurance consumer market to the mid-tier licensees to capture. However, even for these mid-tier licensees, the penalty is not adequate to incentivize compliance with the IDSA.
For mid-tier licensees, the average cost to implement any information security program will be between $33,000 and $54,000. This breakdown, by itself, may suggest that the cost to come into compliance is similar to the cost of the penalty; however, there are more costs associated with coming into compliance with the IDSA. The IDSA requires the licensee to either designate an employee or outside vendor to be responsible for the information security program. If the licensee decides to appoint an employee, that employee must be reasonably qualified to oversee the information security program. The salary for one of these cybersecurity experts ranges $64,000–$88,000, annually. If the mid-tier licensee is a larger company or deals with more sensitive information, it would be reasonable to employ multiple cybersecurity experts to oversee the information security program. Furthermore, the costs to upgrade technology and implement staff training to prevent a cybersecurity event will elevate those costs as well. This increased cost to comply with the IDSA, coupled with the infrequent examination by the SCDOI (at least once every five years) will lead these mid-tier companies to play the odds concerning the violation provision. If licensees do not invest to be compliant with the IDSA, then they will be susceptible to only one $30,000 fine every five years. The costs of implementing the information security program would pay for that administrative fine at least twice within the first year.
Therefore, the administrative penalty for not complying with the IDSA will not deter the targeted licensees to comply with the IDSA. This is ultimately detrimental to the consumer because the penalty is not harsh enough to outweigh the cost of complying with the IDSA’s requirements. This will lead to greater risks of cybersecurity events for those licensees which lack a comprehensive information security program.
A third-party service provider is a person that contracts with a covered entity to “maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to” the covered entity. Covered entities must evaluate and include an assessment of any third-party service provider’s security programs used in connection with the licensee’s information security program. If the covered entity has a board of directors, the IDSA places the duty on the board to oversee third-party service providers. Furthermore, a licensee must “exercise due diligence” when selecting its third-party service providers. After a licensee makes its selection, it must require that third-party service provider to implement appropriate measures to protect and secure the information and systems held by or accessible to the third-party service provider.
If a licensee decides not to retain an in-house employee or department to implement and oversee the information security program, the licensee must outsource this job to a vendor or third-party service provider. If the licensee wishes to use a third-party service provider, it must account for that provider at all steps of review and throughout the implementation of the information security program. The IDSA also requires a licensee’s board of directors to annually report “material matters related to the information security program,” which explicitly includes third-party service provider arrangements. It also requires third-party service providers implement “appropriate . . . measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.” Furthermore, the IDSA implicitly requires the licensee to oversee the third-party service providers it contracts with, meaning the licensee may be subject to IDSA penalties if it fails to adequately use due diligence in selecting and overseeing the third-party service provider.
Although the IDSA requires licensees to use due diligence, it does not provide clear guidance regarding the scope of “due diligence.” This is problematic because, as discussed above, a licensee is subject to penalties if it does not use due diligence. While not explicitly providing an answer to this dilemma, the SCDOI provided information regarding evidence on how due diligence is exercised, which includes whether the licensee investigated the reputation of the third-party service provider, what level of access and what safeguards are in place to protect the licensee’s information systems, what contractual terms are in place, and whether the licensee or the third-party service provider have cyber insurance.
Even though these factors are helpful and likely necessary for a licensee to exercise due diligence in making its selection, one factor stands above the rest. Specifically, the contract terms between the licensee and the third-party service provider are essential in determining whether a licensee has performed its due diligence throughout the selection process. Since the IDSA requires licensees to oversee third-party service providers because these providers may subject the licensee to IDSA violations vicariously through the provider, the licensee must endeavor to place stringent oversight and supervisory provisions within the terms of such contracts. A licensee must be able to evaluate the privacy and security practices of its third-party service provider, which means that they must agree to contract terms granting the licensee with access it needs to gain a better understanding of the service provider’s operations and security measures. Other terms that must be addressed in such service agreements include the following: the third-party service provider’s policies align with the mandates placed upon the licensee, notification controls alert the licensee if a cyberattack occurs, and the licensee is able to create procedures that allows it to supervise the third-party service provider. Although the due diligence dilemma for licensees is profound, it is not the only area of uncertainty a licensee faces with regard to its third-party service provider usage.
As noted above, the IDSA requires its third-party service providers to implement appropriate measures to protect the information systems and nonpublic information while also implicitly requiring the licensee to oversee its third-party service providers in order to remain compliant. However, the IDSA does not provide any more direction as to how those “appropriate measures” apply to third-party service providers. One may argue that licensees must require their third-party service providers to implement protective measures that correspond with the IDSA’s information security program because these provisions are so intertwined with and instrumental in the licensee’s use of third-party service providers in the first place. Furthermore, if a licensee is going to use a third-party service provider to implement and maintain its information security program, it must follow that the third-party service provider must also adhere to the provisions mandated on the licensee.
However, one may also argue that if the South Carolina General Assembly intended for third-party service providers to follow the IDSA guidelines, then it would have explicitly done so. Instead, it only requires these service providers to implement “appropriate administrative, technical, and physical measures to protect” nonpublic information and information systems. The term appropriate is ambiguous and has two possible interpretations. One interpretation is that third-party service providers are held to the same higher standard as licensees. However, the second interpretation could imply a lower standard for third-party service providers regarding their protective measures for licensees because, while licensees must comply with extensive and specific requirements under the IDSA, third-party service providers, again, only need to implement those measures deemed appropriate.
The former interpretation should be adopted. Although requiring third-party service providers to adhere to the more stringent provisions of the IDSA may lead to higher contracting costs to the licensee, it will provide these licensees with invaluable information. It will provide greater insight into the third-party service provider’s privacy and security procedures, provide licensees with more information concerning weak points in their security system, and provide greater opportunity to anticipate and prevent future cybersecurity events. Despite the fact that the licensee may have to pay more to contract with these third-party service providers to gain more intrusive access to its systems, these costs would likely have been spent on internal information security program expenses, such as additional employee salaries, additional costs regarding creation of an information security program, and additional cybersecurity measures within the information security program.
Although there are many important facets of the IDSA concerning a licensee’s compliance, the risk assessment is the starting point for a licensee’s entire information security program. With the broad coverage and reach of the IDSA through the definitions of licensee and nonpublic information, the South Carolina General Assembly decided to place some limits on the scope of the IDSA by providing explicit and implicit safe harbors to what constitutes a cybersecurity event. Through this lens, the licensee must undergo a risk assessment that acts as the starting point to create its data security program.Although the IDSA does not provide a helpful definition of risk assessment, it does require a licensee to “identify reasonably foreseeable internal or external threats” that could result in a cybersecurity event. Like a math problem, if you use the right formula, but use the wrong numbers, you will get a wrong answer. Similarly, the IDSA provides data security protocols, but if a licensee fails to identify the correct threats, it may lead to a noncompliant information security program.
Due to the minimal guidelines the IDSA provides licensees, it is difficult for these entities to discern what it must consider when designing its information security program. Although not a sufficient factor in discerning what reasonably foreseeable risks exist, a good starting point would be to consider the licensee’s size and complexity. This factor necessarily informs the probability of a breach occurring. With larger entities, there are more access points for hackers to exploit, and generally, larger entities implement more complex information systems. Furthermore, as information systems become more complex, they also become more susceptible to attacks because they usually contain more lines of code, which makes it not only harder to test these systems for weaknesses but also easier for a hacker to exploit them. A licensee must take into account its size and its information system’s complexity because, as these two elements increase, so does the likelihood a data breach may occur.
A licensee must also consider the type and sensitivity of information it stores or possesses when conducting its risk assessment. The data market is as sophisticated as any, with cybercriminals selling varying types of nonpublic information valued at different rates. Licensees, many of whom are insurers or brokers, handle sensitive information: Social Security numbers, drivers licenses information,credit card information, online payment login information, and medical records. Accordingly, as the type of nonpublic information the licensee possesses becomes more lucrative in nature, the likelihood of facing a cybersecurity event increases. Because licensees know they handle more sensitive information that are desirable to hackers, they must consider this element in analyzing the reasonably foreseeable risks they face.
When considering the type of information a licensee possesses or handles, it must also evaluate the severity of harm that may occur due to a breakdown or breach of its information security program. A licensee should evaluate, considering that it possesses sensitive information, what harm may follow if a cybersecurity event occurred. If the effect of the harm is less severe because the type or amount of information the licensee possesses is not as sensitive, then its risk assessment would likely be less extensive than a licensee who possesses great quantities of sensitive information.
Finally, a licensee should consider its use of third-party service providers when it conducts its risk assessment. Third-party service providers have been cited as a major vehicle for hackers to infiltrate entities and cause data breaches. Third-party service providers are a potential danger to licensees because these providers could maintain the licensee’s nonpublic data and provide access for a hacker into the licensee’s information system. Because third-party service providers are a potential liability towards a licensee’s information security program, it must take adequate measures in vetting its service provider such as conducting a risk assessment on the third-party service provider itself.Although the IDSA requires a licensee to conduct a risk assessment but does not provide a system in which to conduct that assessment, these factors account for the essential questions a licensee must tackle in order to design, implement, and maintain a compliant information security system. However, this assessment is not limited to these factors, rather these factors provide only a good place to start for licensees conducting their risk assessment.
In today’s day and age where businesses collect more valuable data to gain a competitive edge and hackers become more brazen in how they access that information, cybersecurity protocols are coming to the forefront of issues for consumers. Insurance companies, in particular, are in hacker’s crosshairs because they possess vast amounts of valuable data but lack adequate security protocols to protect it. The IDSA represents a strategy to fight against these occurrences through mandatory information security programs designed to prevent cybersecurity events from happening. Although the IDSA will likely mitigate the effects of cyberattacks, it will not protect consumers in the manner that it strives for. Without more guidance to these issues regarding the IDSA’s provisions, licensees will be frustrated due to penalties for noncompliance, which will lead to consumer distrust. Additionally, without a more severe penalty, licensees do not have a deep incentive to comply with the mandates. Those appointed to oversee the IDSA’s enforcement start out crippled due to the two major notification safe harbors, possibly leading to countless breaches going undocumented. Without more explanation from the SCDOI, consumers will ultimately pay the price, whose nonpublic information will be more vulnerable to attack without further guidance.