Patchwork of Cybersecurity Regulations Creates Problems for Insurers

The cyber insurance market landscape continues to change, as insurers grapple with the growing threats hackers pose to policyholders. But less discussed are insurers’ internal cyber security practices. Insurers possess extensive personal information about policyholders, making insurers attractive targets for hackers.

In October 2017, responding to these concerns, the National Association of Insurance Commissioners (the NAIC), adopted the “Insurance Data Security Model Law,” also known as Model Law 668. Model Law 668 was based on New York’s first-of-its-kind cybersecurity regulation. New York’s regulation, enacted in March 2017, established minimum cybersecurity standards for insurance companies, banks, and other financial services institutions.

Model Law 668 is intended to promote uniformity of data security and breach notification standards in the insurance industry. Although states were initially slow to adopt Model Law 668, the pace has accelerated in the past year. In 2021 alone, seven states have enacted a version of Model Law 668, bringing the total number of states to 18 including: Alabama, Connecticut, Delaware, Hawaii, Indiana, Iowa, Louisiana, Maine, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee, Virginia and Wisconsin.

Model Law 668 establishes requirements for data security, responses to breaches, and notification to policyholders. It covers “Licensees,” meaning anyone required to be licensed, authorized or registered pursuant to the state’s insurance laws. Depending on state law, this could include not only insurers, but also insurance agents, public adjusters, and claims handlers. Licensees must develop a comprehensive written Information Security Program. Essentially, the Licensee must have a plan in place to safeguard certain “Nonpublic Information” such as Social Security numbers, driver’s license numbers, account numbers, and credit card information. Licensees must also develop a schedule for deleting Nonpublic Information when it is no longer needed.

Model Law 668 takes a balanced approach to cybersecurity based on the size and complexity of the Licensee and the nature and scope of its operations. For example, the law carves out limited exceptions for Licensees with fewer than 10 employees and Licensees who comply with HIPAA’s rules regarding Information Security Programs. Those exempt Licensees, however, are still subject to Model Law 668’s requirements regarding investigation and notification of data breaches.

Similarly, Licensees must have an “Incident Response Plan” in the event of a breach. If the Licensee learns of or suspects there has been a data breach, it must conduct a prompt investigation. The Incident Response Plan must: (1) determine if a cybersecurity event has occurred; (2) assess the nature and scope of the event; (3) identify any Nonpublic Information that has been affected; and (4) restore the security of the information systems compromised.

One of the first questions insurers and practitioners will ask is, “What are the penalties for non-compliance?” Model Law 668 provides little guidance. Although it includes a provision that explicitly declines to create any new private cause of action, it does not bar any action that otherwise exists under applicable state law. Model Law 668 itself includes few recommendations regarding penalties; rather, it focuses on state regulatory authority and action in the event of a violation.

Despite the increasing pace of state adoption, most states have still not adopted Model Law 668. This lack of universal adoption risks disharmony in the insurance market, as insurers must comply with different cybersecurity regulations across state lines, a concern which is compounded by the universal nature of cyber threats. Even those states that have adopted Model Law 668 have done so inconsistently, creating a patchwork of different regulations.

For example, the deadline to report cybersecurity events to the commissioner varies from state to state. While the requirement is usually three business days in most states, it is 72 hours in South Carolina, five business days in Minnesota and ten business days in Michigan.

In addition, there are discrepancies about which entities are exempt from the law’s various requirements. For example, Connecticut only exempts entities from its insurance data security laws if the entity has fewer than ten employees, including independent contractors. In contrast, Alabama exempts entities that either have fewer than 25 employees, less than $5 million in gross annual revenue, or less than $10 million in year-end total assets. Mississippi exempts entities that either have fewer than 50 employees, less than $5 million in gross annual revenue, or less than $10 million in year-end total assets.

Another variation is whether a state’s version establishes that the law is the “exclusive standard” applicable to Licensees for data security, investigation, and notification to the commissioner of a cybersecurity event. Most states, excluding Connecticut and South Carolina, have adopted an exclusive standard provision, while Model Law 668 does not provide for such a standard.

However, there is one area where there has been general consistency across adopting states: enforcement and penalties. No state has created a new private right of action. Rather, each has authorized state insurance commissioners to enforce the law under existing insurance law and engage in related rulemaking.

When the NAIC first adopted the law in 2017, the Treasury Department urged Congress to pass its own cybersecurity law if Model Law 668 was not uniformly adopted in the subsequent five years. It does not appear that benchmark will be met next year. This possibility has played a role in encouraging states to adopt Model Law 668. In fact, a draft of Hawaii’s law expressly stated that it was being adopted to promote state uniformity and forestall federal preemption. It is possible Congress may revisit this issue and pass nationwide legislation applicable to insurers, which could preempt state laws. In 2018, the Financial Services Committee of the U.S. House of Representatives passed a bill called the Consumer Information Notification Requirement Act that would have created a hybrid regime under which federal financial authorities such as the Federal Reserve and Comptroller of the Currency would establish standards for preventing and notifying customers of data breaches. Although that bill did not become law, it is an issue that a new Congress in 2022 could add to the legislative calendar.

Whether Congress acts or not, and regardless of which states adopt Model Law 668, insurers that issue policies across state lines will need to take steps to ensure compliance with varying cyber regulations.

Reprinted with permission from the October 4, 2021, issue of the New York Law Journal©, ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.