States begin adopting insurance cybersecurity requirements
By Lawrence R. Hamilton, Jeffrey P. Taft and Matthew Bisanz|March 29, 2019 at 09:00 AM
In October 2017, the NAIC adopted an Insurance Data Security Model Law that builds on existing data privacy and consumer breach notification obligations. The Model Law requires every insurance licensee in a state (unless they qualify for an exemption) to maintain a written cybersecurity policy and implement a risk-based cybersecurity program. The Model Law also requires a licensee to satisfy specific requirements related to:
- Risk assessment and management;
- Oversight of third-party service providers;
- Incident reporting, investigation and notification;
- Annual certification, and;
- Exceptions (if eligible).
In the United States, the business of insurance is regulated primarily at the state level. That means that the Model Law will not actually apply to a licensee unless and until it is enacted into law by a jurisdiction where that licensee is licensed.
The Model Law has strong similarities to the 2017 cybersecurity regulation issued by the New York Department of Financial Services (NYDFS), so insurance licensees in New York should already have a good handle on compliance. In fact, a drafting note to the Model Law states that the NAIC intends for compliance with the New York regulation to satisfy a licensee’s obligations under the Model Law.
The Model Law is intended to apply to more than just insurers, and includes in its scope most other types of business entities and individual professionals that are licensed under a state’s insurance law — including insurance agents and brokers. However, the Model Law excludes from the definition of licensee purchasing groups or risk retention groups that are chartered and licensed in another state, and insurers that are only assuming business in the state as reinsurers and are domiciled in another state. This definition — like all aspects of the Model Law — may be further tailored by individual states as they adopt the Model Law.
2018 implementation progress
In 2018, the Model Law was enacted in only three states: South Carolina, Ohio and Michigan. It is worth looking at the unique twists and turns of each state’s version of the Model Law.
In May 2018, South Carolina became the first state to enact the Model Law, and its version is practically identical to the NAIC’s Model Law. The only meaningful differences is that South Carolina adopted language stating that the law does not create, “any duty or liability for a provider of communication services for the transmission of voice, data, or other information over its network.”
The South Carolina law took effect on Jan. 1, 2019, and requires compliance by July 1, 2019 for most provisions and July 1, 2020 for provisions related to third-party service providers.
In December 2018, Ohio became the second state to enact the Model Law, and its version is substantially similar to the Model Law. Most of the differences between Ohio’s version and the Model Law are non-substantive, but four are worth paying attention to.
First, Ohio narrowed the Model Law’s definition of a “cybersecurity event” by requiring that in order to qualify as a such an event, an incident that causes unauthorized access or misuse of information must also have, “a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee.” That narrowing of the definition means that licensees should primarily focus on threats that are truly a threat to consumers or the licensee.
Second, Ohio altered the Model Law’s approach to cybersecurity event notifications by changing the notification deadline from 72 hours after identifying that a reportable incident has occurred to three business days.
Third, Ohio expanded the Model Law’s exemptions for small licensees. The Model Law exempts licensees with fewer than 10 employees, but Ohio’s version exempts licensees with fewer than 20 employees, or with less than $5 million in annual gross revenue, or with less than $10 million in assets.
Fourth, Ohio added a new clause that provides an express defense against torts claims brought in Ohio that allege that an insurance licensee’s lack of reasonable cybersecurity controls caused a data breach. Under this measure, an insurance licensee will have an affirmative defense to such a lawsuit if it has satisfied the requirements of the new law. A similar safe harbor is offered in an Ohio data breach notification law that was also enacted in 2018.
The Ohio law takes effect on March 20, 2019, and requires compliance by March 20, 2020 for most provisions and March 20, 2021 for provisions related to third-party service providers.
Also in December 2018, Michigan became the third state to enact the Model Law, and its version is substantially similar to the Model Law. As with Ohio, most of the differences between Michigan’s version and the Model Law are non-substantive, but two are worth paying attention to.
First, Michigan altered the Model Law’s approach to cybersecurity event notifications by extending the notification deadline from 72 hours after identifying that a reportable incident has occurred to 10 days, and embedding a consumer notification requirement in the law that is based on Michigan’s ID Theft Prevention Act.
Second, Michigan expanded the Model Law’s exemption for small licensees. The Model Law exempts licensees with fewer than 10 employees, but Michigan’s version exempts licensees with fewer than 25 employees (including any independent contractors).
The Michigan law takes effect on Jan. 20, 2021, and requires compliance by Jan. 20, 2022 for most provisions and Jan. 20, 2023 for provisions related to third-party service providers.
2019 prospects and beyond
While there have been no significant surprises to date in state enactments of the NAIC’s Insurance Data Security Model Law, insurance licensees will need to track and analyze each new enactment as it occurs to identify any new, more stringent requirements. It is likely that multi-state and nationwide licensees will determine it is most efficient and cost-effective to adopt the “least common denominator” approach by complying enterprise-wide with the most stringent information security requirements imposed by any state in which the licensee is licensed.
Versions of the Model Law have been introduced in the Connecticut, Mississippi, Nevada, New Hampshire and Rhode Island legislatures. But it remains to be seen how states with existing, non-Model Law insurance cybersecurity requirements will respond to the roll-out of a nationwide standard.
Importantly, the Model Law has been well received at the federal level, with the Department of the Treasury, in its October 2017 Report on Asset Management and Insurance, strongly endorsing the model law and recommending that Congress consider adopting federal legislation that would preempt state law if the Model Law is not adopted within five years.
We expect that states will continue to enact the Model Law in 2019 and beyond. Because of the multi-state nature of the insurance industry, major insurance licensees will likely adopt compliance programs that satisfy the most stringent version of the Model Law that applies to their operations, while smaller non-insurer licensees (such as insurance producers) will likely adopt the compliance programs of the insurers with which they are affiliated.