Three states recently enacted variations of the National Association of Insurance Commissioner’s (NAIC) Insurance Data Security Model Law (MDL-668), based on the landmark cybersecurity requirements issued by the New York Department of Financial Services (NYDFS) in March 2017. The NYDFS requirements apply to certain banking, insurance and financial service entities licensed in the state of New York. The legislative trend based on the NAIC model law prescribes detailed cybersecurity requirements for insurance-related entities. South Carolina led the pack, enacting the Insurance Data Security Act in May 2018. Ohio and Michigan followed suit in December, and other states appear poised to consider similar legislation.
Common provisions. The NAIC model law and its three enacted variations contain common notable provisions:
- Broad definition of nonpublic information. Like the NYDFS requirements, the insurance laws define “nonpublic information” broadly. The definition includes not only personal information, but also “business-related information” that if affected in an incident would cause a “materially adverse impact” to the entity’s business, operation or security. As just one example, this means that a ransomware event that cripples an entity’s business operations would likely trigger a notice obligation even if the event did not involve personal information.
- Information-security program requirements. The laws require organizations to complete ongoing risk assessments; adopt risk-based, written information-security programs; implement written incident-response plans; and establish enterprise cybersecurity governance with board oversight. Covered entities must also demonstrate appropriate oversight of third-party service providers.
- Confidentiality provisions. The laws include broad confidentiality provisions—responsive material provided by covered entities is exempt from public records requests or subpoenas, and it is inadmissible in a private civil action.
State variations. The state variations differ most notably from the model law on breach notification requirements and exemptions for smaller entities. Ohio’s law also includes a novel defense that provides a “safe harbor” to entities that comply with certain cybersecurity frameworks.
- Breach notification requirements. Covered entities that experience a data breach or “cybersecurity event” must notify their respective state insurance regulator if South Carolina, Ohio or Michigan is the insurer’s home state or if the event affects 250 or more state residents. However, the notice deadlines vary under each statute. South Carolina requires notice to the state insurance director within 72 hours of detecting a cybersecurity event. Licensees in Ohio will have three business days to report cybersecurity events to the state superintendent. The Michigan statute provides the most generous notice deadline, giving licensees 10 business days to report cybersecurity events. Recognizing that details are often limited in the early days of an incident, each state requires material updates as the investigation progresses.
- The model law and state variations exempt smaller entities from certain obligations. The model law exempts entities with fewer than 10 employees from the law’s information-security program requirements (but not from the incident investigation and notice provisions). Like the model law, the Michigan and Ohio laws exempt small entities from the information-security program requirements only. Michigan’s law exempts entities with fewer than 25 employees, while Ohio’s law exempts entities with fewer than 20 employees, less than $5 million in gross annual revenue or less than $10 million in total assets at the end of the business’s fiscal year. By contrast, South Carolina’s law exempts entities with fewer than 10 employees from compliance with the entire law (but these entities will still be subject to general state breach notification laws).
- Ohio’s cybersecurity “safe harbor” expanded to include the model law. Ohio’s version deviates most notably from the model law, offering licensees who comply with the law an affirmative defense against tort claims alleging failure to implement reasonable cybersecurity controls. (See our previous blog post for more on the Ohio “safe harbor” law). That said, the law is a defense only against causes of action under Ohio law.
Act now to achieve compliance. Organizations subject to the NYDFS Cybersecurity Regulations will be ahead of the curve in their efforts to comply with the new insurance security laws. Many organizations not previously subject to mandatory cybersecurity requirements could face a steep road to compliance. South Carolina’s law became effective on Jan. 1, 2019, with the requirement to implement a comprehensive information-security program effective July 1, 2019, and the requirement to vet third-party service providers delayed until July 1, 2020. The Michigan statute takes effect Jan. 20, 2021, with the obligation to develop a comprehensive information security program delayed until Jan. 20, 2022, and the requirement to vet third-party service providers delayed until Jan. 20, 2023. The Ohio statute gives insurers two years to comply with requirements regarding third-party service providers, and one year to comply with the requirement to implement a comprehensive information security program. Based on our experience helping clients achieve compliance with the NYDFS requirements and similar regulations, covered entities should start their compliance efforts now to meet fast-approaching deadlines.