As reported on Locke Lord’s InsureReinsure blog, the NAIC adopted a model law for the protection of the data and systems used by the insurance industry, and South Carolina became the first state to enact legislation based on the NAIC model. In doing so, however, the South Carolina legislature created some uncertainty by changing a couple of words.
The purpose of the NAIC model is to protect the insurance industry and its consumers against cybersecurity threats by requiring licensees to adopt certain cybersecurity measures. Apparently seeking to avoid the confusion and expense related to divergent requirements that could apply to licensees (the inconsistent state breach notification requirements are a perfect example!), the NAIC model contains an express exception for licensees that certify compliance with HIPAA. In the same spirit, it also includes a drafting note stating that compliance with the previously existing New York Department of Financial Services Cybersecurity Regulation is deemed to be in compliance with the NAIC model.
A simple change in wording of the HIPAA exception, however, created some confusing daylight between the South Carolina law and the NAIC model. The South Carolina statute revised the wording of the NAIC model’s HIPAA exception from “compliance, with the same” (referring to HIPAA) to “compliance with, the provisions of this chapter.” (Emphasis added.) A literal reading of the South Carolina language would create an inherent inconsistency: licensees that comply with HIPAA are excepted from the South Carolina law if they comply with, and certify compliance with, the provisions of the South Carolina law.
Fortunately, on June 14, 2018 the South Carolina Director of Insurance issued Bulletin Number 2018-02 describing the exceptions from the South Carolina Insurance Data Security Act to include, “Licensees that are able to certify compliance with the requirements of [HIPAA] via a written certification will be deemed to meet the requirements of the [South Carolina law].” This statement clearly reflects the intent of the NAIC model, and indicates that the South Carolina Department of Insurance will implement the South Carolina law in a way that will make sense of the otherwise minor but confusing change in the language of the statute.