South Carolina became the first state to pass a law requiring all insurance entities to create and maintain a cybersecurity and data breach response program.
Among the law’s provisions is a requirement to notify the state government within 72 hours in the event of a breach or cybersecurity event affecting 250 or more people, the protection of policyholder’s personally identifiable information, and an annual statement detailing their breach response plan.
The law itself was drafted by the National Association of Insurance Commissioners’ Cybersecurity Working Group, and was adapted from a similar proposal in New York. It is expected that other states will be following suit with similar measures.
Read more about the law here.