Search By Practice Area
The threat posed by hackers is real and existential. Hackers penetrate a company’s systems to steal client and employee information, which leads to identity theft, loss of business, and irreparable harm. Recognizing the threat posed by hackers and data breaches, the National Association of Insurance Commissioners recommended that states pass the Insurance Data Security Model Law (“Model Law”).
The purpose of the Model Law is to require businesses and companies in the insurance industry to take reasonable steps to protect sensitive information, investigate potential data incidents and breaches, and respond accordingly. To enable industry action, penalties and fines in the state-specific versions of the Model Law are significant.
Specifically, fines range from $250 up to potentially $75,000 while the violation continues. Beyond monetary penalties, insurance commissioners have the right to revoke a Licensee or insurer’s license for violations. Currently, states that passed or implemented a version of the Insurance Data Security Model Law include Alabama, Connecticut, Delaware, Michigan, Mississippi, New Hampshire, Ohio, and South Carolina. New York implemented a similar law (See 23 NYCRR 500) through the Department of Financial Services.
Below is a summary of the pertinent aspects of the Model Law.
Application and Definitions
The Model Law applies to anyone licensed, authorized to operate, registered, and or required to be registered according to the insurance laws of a specific state (“Licensee(s)”).
Non-public information (“NPI”) means information that is not publicly available and is:
- Business-related information of a Licensee that, if accessed, would cause a material adverse impact to the business, operations, or security of the Licensee; or
- A consumer’s name, number, personal mark, or other identifier that can be used to identify the consumer in combination with any one or more of the following:
- Social Security Number;
- Driver’s license number or non-driver identification card number;
- Account number, credit or debit card number;
- Any security code, access code or password that would permit access to a consumer’s financial account;
- Biometric records; or
- Health information, including:
- The past, present, or future physical, mental, behavioral health, or condition of the consumer or the consumer’s family member;
- Provision of health care to any consumer; or
- Payment for healthcare to any consumer.
A consumer (“Consumer”) means an individual, including but not limited to applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders who is a resident of that state and whose NPI is in a Licensee’s possession, custody, or control.
A Cybersecurity Event (“Cyber Event”) means an event resulting in unauthorized access to, disruption, or misuse of, an information system(s) or information stored on such information system(s).
A third-party service provider(s) (“Provider(s)”) means a person or business, not otherwise defined as a Licensee, that contracts with a Licensee to maintain, process, store, or otherwise is permitted access to NPI through its provision of services to the Licensee.
Licensees must implement a written information security program (“Program”) outlining the administrative, technical, and physical safeguards it takes to protect NPI. Further, Licensees must perform risk assessments to determine threats, the likelihood of damages, and assess the policies and procedures in place to protect NPI. Based on the risk assessment, the Licensee must mitigate the identified risks commensurate with the size, scope, complexity, use of Providers, and the sensitivity of the NPI used, controlled, possessed, or stored by the Licensee.
If a Licensee has a board of directors (“board”), the board must develop, implement, maintain, test, and revise (as necessary) the Program. Further, the board must annually report in writing addressing the state of the Program, any material matters related to the Program, issues identified from the risk assessment, third-party service provider management, any incidents or breaches, and recommended changes to the Program.
If a Licensee learns that a potential Cyber Event occurred or may have occurred (including a Cyber Event involving a Provider(s)), the Licensee must investigate the incident to determine if it qualifies as a Cyber Event, assess the nature and scope of the Cyber Event, identify any NPI involved, and take the necessary measures to remediate the Cyber Event.
Licensees must ensure that its Providers (i.e., any company handling its NPI (e.g., external IT or cybersecurity companies, payroll providers, outside human resources services, etc.) have their own written Programs in place to protect NPI. A Licensee is responsible for its Providers failing to take steps to conform with the applicable law
Incident response plan
The Licensee must establish a written incident response plan (“Plan”) to promptly respond and recover from a Cyber Event that compromises the confidentiality, integrity, or availability of NPI. The Plan must address the procedures for responding to Cyber Events, goals of the Plan, defining roles and responsibilities of decision making authority, communications protocols, identification of requirements for the remediation of weaknesses in its computer systems, documenting and reporting Cyber Events and related incident response activities, and evaluating and revising as necessary the Plan after a Cyber Event.
If a Cyber Event occurs, the Licensee must provide notice to the insurance commissioner of that state no later than seventy-two hours. The timing of the notification requirement varies by state. In general, the notification includes the date, scope, extent, and account of the Cyber Event, descriptions of the NPI stolen, lost, or breached, how it occurred, the steps taken to remediate it, the investigative actions taken after discovering the Cyber Event, and the total number of individuals impacted by the Cyber Event. The notification rule applies to Cyber Events involving a Licensee’s third-party service provider.
An insurer domiciled in a state with the Model Law must provide written notice to the insurance commissioner/director/superintendent/head of the insurance department of that state certifying compliance with the law on February 15 of every calendar year.
Currently, the states that passed or implemented a version of the Insurance Data Security Model Law include Alabama, Connecticut, Delaware, Michigan, Mississippi, New Hampshire, Ohio, and South Carolina. With more states adopting the Model Law, the time to act to protect your company's data, business operations and reputation is now. The policies and procedures that will be required by this law are similar to a contract or promise you are making with your clients and employees regarding protecting their NPI.
Our cybersecurity and data privacy attorneys can help guide and counsel your company to ensure compliance with the applicable data security laws. We provide the necessary services to demonstrate to your clients, employees, and government regulators that reasonable and prudent steps were put in place to protect NPI as part of a comprehensive data security plan.
Spencer S. Pollock, Esq., CIPP/US is an attorney at Niles, Barton & Wilmer, LLP, concentrating his practice in data security, cybersecurity, and privacy law along with civil defense litigation. He works with his clients to draft, develop, and implement internal policies, programs, and procedures to comply with the applicable state, federal, and international data security, cybersecurity, and privacy laws. Further, he helps clients navigate data breach responses and represents clients in any data breach relating to regulatory actions or litigation.see all Business and Corporate Law articles »
The Maryland Court of Special Appeals provides helpful guidelines to homeowners and HOAs in addressing…read more »
In June, the Securities and Exchange Commission (“SEC”) adopted a new regulation, Regulation…read more »
The National Association of Insurance Commissioners recommended that states pass the Insurance Data…read more »
On June 5, 2019, the Securities and Exchange Commission (SEC) approved the Regulation Best Interest,…read more »
Representation and Warranties policies (R&W policies) insure representations made by a Seller…read more »