Come October 1st, Connecticut will join a growing of number of states to have codified data security provisions specifically applicable to the insurance industry. So far, eight states have adopted a model law drafted by the National Association of Insurance Commissioners (NAIC), but thanks to staggered implementation periods, compliance obligations are currently in force in only one state—South Carolina. But other deadlines are approaching.
In a nutshell, the NAIC’s model law establishes data security standards for entities licensed under state insurance laws, and it requires licensees to notify the state insurance regulator in the wake of a breach. It shares similarities with New York’s cybersecurity regulations for financial service companies (23 NYCRR 500 et seq.), requiring the development of an information security plan based on an internal risk assessment.
Significantly, an information security program must include the mitigation of risks related to third-party service providers. Indeed, licensees are required to ensure that third-party service providers implement “appropriate administrative, technical and physical measures” to protect information accessible to or held by those third parties.
Most states that have adopted the model law give licensees one year from the effective date to implement their own programs and two years to ensure that third parties have safeguards in place. The only exception is South Carolina, which gave licensees just six months to have a program up and running. That implementation deadline was July 1st.
While the implementation date for licensees in South Carolina has already passed, there’s still time for South Carolinians to satisfy the third-party service provider component, which must be in place by next July. Licensees in other states have even less time to get their acts together, with Ohio’s initial deadline slated for March 2020.
So what must be done?
First, perform a risk assessment. Start by designating an employee or outside vendor who would be responsible for identifying threats that could compromise “nonpublic information,” defined as (1) business-related information that would, if disclosed, have an adverse impact on the licensee’s business; (2) customer information that could be used to identify a customer; or (3) health-related information, including payment information for health care services.
The risk assessment should also take into account the sufficiency of any policies and procedures already in place to manage security threats.
Based on that assessment, the licensee should then develop a program to mitigate identified risks. Security measures to consider would include:
—placing access controls on information systems;
—protecting nonpublic information by encryption or other appropriate means;
—adopting secure development practices for in-house applications and vetting externally developed applications;
—making modifications to information systems;
—using effective controls, such as multi-factor authentication procedures;
—regularly testing and monitoring systems and procedures;
—including audit trails within the information security program;
—implementing measures to protect against the destruction, loss, or damage of nonpublic information; and
—developing procedures for the secure disposal of nonpublic information.
The program must also include a written incident response plan, as well as a written statement, filed annually with the insurance regulator, certifying compliance with the law’s requirements.
The model law proposes Feb. 15 as the annual certification date, and all states but one have adopted the February deadline. New Hampshire establishes March 1st as the annual certification deadline.
Taking a cue from the GDPR, the model law requires notification to the state regulator within 72 hours of a breach, but only South Carolina has adopted that strict timeline. Most other states have apparently realized that their insurance regulators are off on weekends and holidays, so they have instead adopted a three-business-day requirement. Michigan is the lone outlier, generously allowing a 10-day notification period.
Licensees are to comply with the state’s existing breach notification statute when it comes to notifying customers.
For a summary of data security obligations affecting other sectors, see Bloomberg Law’s State Data Security Laws Tracker.