Insurance Regulation: States Take First Steps to Adopt NAIC Model Cybersecurity Law
May 25, 2018 | Robert Tugander | Greg E. Mann | |The insurance industry is becoming the next frontier for cybersecurity regulations. On May 8, 2018, South Carolina became the first state to adopt the National Association of Insurance Commissioners’ (NAIC’s) regulations specific to insurers and brokers, and the Rhode Island Legislature is currently considering a similar bill.
The NAIC, the leading national regulatory support organization, in October 2017 adopted the “Insurance Data Security Model Law.” The Model Law was based on New York’s first-of-its-kind cybersecurity regulation. New York’s regulation, enacted in March 2017, established minimum cybersecurity standards for insurance companies, banks and other financial services institutions.
Given these recent developments, it is important for insurers, agents and brokers to be familiar with the Model Law. Most states currently have insurance-specific data protection laws requiring private or governmental entities to notify individuals of security breaches involving personally identifiable information. The Model Law expands on these requirements and is intended to promote uniformity of data security and breach notification standards in the insurance industry.
Key Aspects of the Model Law
At the centerpiece of the Model Law is the Information Security Program. Licensees – meaning anyone required to be licensed, authorized or registered pursuant to the state’s insurance laws – must develop a comprehensive written Information Security Program. Essentially, the Licensee must have a plan in place to safeguard “Nonpublic Information” (social security numbers, driver’s license numbers, account numbers, credit card information, business data, etc.). The Information Security Program must be adequately designed to protect the security and confidentiality of Nonpublic Information, protect against threats to the integrity of the information and protect against unauthorized access to the information. Licensees must also develop a schedule for deleting Nonpublic Information when it is no longer needed.
The Model Law recognizes that not all Licensees are on equal footing, and calls for an Information Security Program that is commensurate with the size and complexity of the Licensee and the nature and scope of its operations. For example, the Model Law carves out limited exceptions for Licensees with fewer than 10 employees and Licensees who comply with HIPAA’s rules regarding Information Security Programs. Those exempt Licensees, however, are still subject to the Model Law’s requirements regarding investigation and notification of data breaches.
All Licensees must identify reasonably foreseeable internal and external threats (risk assessments) and must develop measures for mitigating those risks (risk management). The Model Law also imposes oversight obligations. It requires a company’s board of directors (or an appropriate committee) to “[o]versee the development, implementation, and maintenance of the Licensee’s Information Security Program.” Licensees are further instructed to exercise due diligence in selecting and overseeing its third-party service providers.
At the heart of the Information Security Program is the “incident response plan.” Each Licensee must develop a plan designed to promptly respond to, and recover from, a cybersecurity event – “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.”
Finally, each Licensee must certify annually to state insurance regulators that it is in compliance with the Model Law’s requirements.
What Happens If There Is a Breach?
If the Licensee learns of or suspects there has been a data breach, it must conduct a prompt investigation. At a minimum, it must: (1) determine if a cybersecurity event has occurred; (2) assess the nature and scope of the event; (3) identify any nonpublic information that has been affected; and (4) restore the security of the information systems compromised.
The Model Law also contains stringent data breach notification requirements. Licensees must notify the state insurance commissioner as soon as possible, but no later than 72 hours from determining that a cybersecurity event has occurred. These notification requirements are triggered when the Licensee reasonably believes that the breach of nonpublic information affects 250 or more consumers residing in the state and notice is required either by state or federal law. Notice is also required if the event has a reasonable likelihood of materially harming any consumer residing in the state or any material part of the normal operations of the Licensee.
These same requirements apply where there has been a breach of a system maintained by a third-party service provider.
In the case of a reinsurer who does not have a direct contractual relationship with the affected consumers, the reinsurer must notify its affected ceding insurers and state insurance commissioner within 72 hours of determining that at cybersecurity event has occurred. Ceding insurers that have a direct contractual relationship with affected consumers must comply with any state consumer notification requirements.
The Model Law defers to the state’s data breach notification law to determine whether consumer notification is required.
Violations and Penalties
The state insurance commissioner is given the power to examine and investigate the affairs of the Licensee and to determine if the Licensee has violated any provision of the rule. In the event of a violation, the commissioner is empowered to take action necessary to enforce the provisions of the Model Law and to impose penalties.
Timing of Compliance
If a state ultimately adopts the NAIC Model Law, insurers will have one year to comply with all but the Third-Party Service Provider rules. Licensees will have an additional year to achieve full compliance.
However, even if a Licensee’s home state has not adopted the Model Law, insurers, brokers and agents should still track which states have enacted the Model Law because it could impact out-of-state insurers. The Model Law applies to nonresident Licensees, except for purchasing groups, risk-retention groups or when acting as an assuming insurer. For example, a broker resident in a state that has not adopted the Model Law may be potentially subject to the Model Law if he or she is also licensed in another state that has adopted the Model Law.
State Action
The South Carolina law, which tracks the Model Law, will go into effect on January 1, 2019. Licensees will have until July 1, 2019 to implement an Information Security Program and until July 1, 2020 to comply with Third-Party Service Provider due-diligence requirements.
Legislation based on the Model Law has also been introduced in Rhode Island. Other states are expected to add this to their legislative calendars in the coming months.
Federal Action
Insurance regulation is traditionally left to the states. But, in November 2017, the Treasury Department endorsed the Model Law. The Treasury Department urged Congress to pass its own cybersecurity law if the Model Law is not uniformly adopted in the next five years. The Treasury Department made clear that, although it supports the state-based system of insurance regulation, it views cybersecurity as an issue of national concern.
Forecast
It remains to be seen how many state legislatures will adopt the Model Law and what Congress might do if the states do not adopt their own measures. But the Model Law is gaining traction. If widely adopted by the states, the Model Law would establish uniform standards for data security for insurers, agents and brokers. Given the rapidly changing cybersecurity landscape for insurers, it is important for insurers to keep track of these developments and to adapt going forward.