Blog

Updated: Insurance Data Security Model Law - Larson And Company

Written by Larson And Company | 24 Feb 2020

Recent Model Adoption or Specific Related State Activity

The purpose and intent of this Act is to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity event.

Applicable to licensed, authorized, registered with the insurance laws of the applicable State, but does not include purchasing group or risk retention group chartered and licensed in a state other than the applicable State or a Licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Additional exceptions apply:

  • Licensee has fewer than 10 employees, including independent contractors
  • Licensee subject to Health Insurance Portability and Accountability Act (HIPAA) that has established and maintains an information security program and is in compliance with the requirements and submits a written statement certifying its compliance
  • If the Licensee is covered under another Licensee’s Information Security Program

 

The following requirements apply to Licensee’s not included in the above exceptions.

Requirements

Depending on the size and complexity of the Licensee, the Licensee shall develop, implement, and maintain a comprehensive written Information Security Program based on the Risk Assessment and that contains administrative, technical, and physical safeguards for the protection of Nonpublic Information and Licensee’s information System. The Information Security Program needs to contain the following:

Risk Assessment – perform a continual risk assessment and identify foreseeable internal and external threats, likelihood and potential damage of these threats, assess policies, procedures, and information systems and implement safeguard to manage identified threats. The Assessment should occur annually.

Risk Management – Design the Information Security Program to mitigate identified risks, including Third-Party Service Providers (TPA) and the sensitivity of information used or in possession, custody, or control of the Licensee. Include cybersecurity risks in the enterprise risk management process. Stay informed regarding new threats or vulnerabilities, and provide personnel with cybersecurity awareness training.

Oversight by Board of Directors – The Board of Directors or appropriate committee is required to develop, implement, and maintain the information security program, and to report annually in writing the overall status and material matters relating to the Information Security Program.

Oversight of Third-Party Service Provider Arrangements – Due diligence is required when selecting TPA’s and the TPA is required to implement appropriate technical and physical measured to protect and secure the Information Systems and information held by the TPA.

Program Adjustments – The Information Security Program is required to continually be monitored, evaluated, and adjusted for changing technology, business operations, and maintained sensitive information.

Incident Response Plan – A written incident response plan is required to be established and maintained

Annual Certification to Commissioner – Annually, each insurer is required to provide to the Commissioner a written statement certifying compliance. This is required by February 15th each year.

Investigate Cybersecurity Events

If the licensee learns of a cybersecurity event they are required to conduct a prompt investigation and at a minimum determine:

  • If a cybersecurity event has occurred
  • Assess the nature and scope of the event
  • Identify information that may have been involved
  • Perform or oversee reasonable measured to restore the security of the Information Security Systems compromised by the event to prevent further unauthorized acquisition release or use of information in possession, custody or control.

Records must be maintained concerning all cybersecurity events for a period of at least 5 years.

Notification of Cybersecurity Events

The Commissioner shall be notified promptly but no later than 72 hours from a determination that a cybersecurity event has occurred. Notification to the consumer shall comply with State laws.

 Model Adoption or Specific Related State Activity

  • Alabama: ALA. Code § 27-62-1 to 27-62-12 (2019)
  • Connecticut: CONN. GEN. STAT. ANN. §P.A. 19-117, §230
  • Delaware: DEL. CODE ANN. Tit. 18, § 8601 to 8611
  • Maryland: SB No. 30 (2019); Bulletin 2019-14 (2019)
  • Michigan: MICH. COMP. LAWS § 500.550 to 500.565 (2018).
  • Mississippi: S.B. No. 2831 (2019).
  • New Hampshire: N.H. REV. STAT.ANN. § 420-P:1 to 420-P:14; § 309:2 to 309:3 (2019).
  • New York: NY. COMP.CODES R. & REGS. Tit. 23, § 500 (2017)
  • Ohio: OHIO REV. CODE ANN. § 3965.01 to 3965.11 (2018)
  • South Carolina: S.C. CODE ANN. § 38-99-10 t 38-99-100 (2018)

 

For more information about the Data Security Model Law or how it may or may not impact your organization please reach out to your Larson & Company advisor.