Three states currently enacted variations of the National Association of Insurance Commissioner’s (NAIC) Insurance Data Security Model Law (MDL-668), primarily based on the landmark cybersecurity requirements issued by means of the New York Department of Financial Services (NYDFS) in March 2017. The NYDFS requirements follow to positive banking, insurance and monetary carrier entities certified within the kingdom of New York. The legislative fashion primarily based on the NAIC version regulation prescribes special cybersecurity necessities for insurance-related entities. South Carolina led the %, enacting the Insurance Data Security Act in May 2018. Ohio and Michigan accompanied fit in December, and other states appear poised to don’t forget comparable regulation.
Common provisions. The NAIC model law and its three enacted versions contain common remarkable provisions:
Broad definition of nonpublic information. Like the NYDFS necessities, the insurance legal guidelines outline “nonpublic statistics” extensively. T——he definition includes not simplest personal records, however also “commercial enterprise-related information” that if affected in an incident would motive a “materially adverse effect” to the entity’s enterprise, operation or safety. As just one example, because of this a ransomware event that cripples an entity’s enterprise operations would in all likelihood cause a note duty even if the event did now not involve private records.
Information-safety program requirements. The legal guidelines require groups to complete ongoing risk exams; adopt threat-primarily based, written statistics-security programs; put into effect written incident-reaction plans; and set up business enterprise cybersecurity governance with board oversight. Covered entities must also demonstrate suitable oversight of third-party carrier carriers.-
Confidentiality provisions. The legal guidelines include huge confidentiality provisions—responsive material supplied by means of covered entities is exempt from public statistics requests or subpoenas, and it’s miles inadmissible in a private civil action.
State variations. The kingdom variations vary maximum significantly from the version law on breach notification requirements and exemptions for smaller entities. Ohio’s law additionally consists of a novel defense that gives a “safe harbor” to entities that comply with sure cybersecurity frameworks.
Breach notification necessities. Covered entities that experience a information breach or “cybersecurity occasion” should notify their respective kingdom insurance regulator if South Carolina, Ohio or Michigan is the insurer’s home kingdom or if the event impacts 250 or extra state citizens. However, the attention closing dates vary beneath every statute. South Carolina calls for be aware to the kingdom coverage director inside seventy two hours of detecting a cybersecurity occasion. Licensees in Ohio may have 3 commercial enterprise days to file cybersecurity occasions to the country superintendent. The Michigan statute gives the maximum beneficiant note closing date, giving licensees 10 commercial enterprise days to report cybersecurity occasions. Recognizing that details are regularly limited within the early days of an incident, each nation requires material updates as the investigation progresses.
The version regulation and state versions exempt smaller entities from sure duties. The version law exempts entities with fewer than 10 employees from the law’s data-security software necessities (but not from the incident investigation and note provisions). Like the model law, the Michigan and Ohio laws exempt small entities from the statistics-protection software requirements handiest. Michigan’s regulation exempts entities with fewer than 25 employees, even as Ohio’s regulation exempts entities with fewer than 20 personnel, less than $5 million in gross annual sales or much less than $10 million in overall belongings on the stop of the business’s economic yr. By evaluation, South Carolina’s law exempts entities with fewer than 10 personnel from compliance with the complete law (but those entities will still be difficulty to popular kingdom breach notification laws).
Ohio’s cybersecurity “safe harbor” expanded to consist of the model law. Ohio’s version deviates most extensively from the model regulation, providing licensees who follow the law an affirmative protection against tort claims alleging failure to implement affordable cybersecurity controls. (See our preceding weblog publish for extra on the Ohio “safe harbor” law). That said, the regulation is a defense simplest against reasons of action beneath Ohio law.
Act now to gain compliance. Organizations problem to the NYDFS Cybersecurity Regulations might be beforehand of the curve of their efforts to comply with the new coverage safety laws. Many organizations now not formerly difficulty to obligatory cybersecurity requirements could face a steep road to compliance. South Carolina’s law have become powerful on Jan. 1, 2019, with the requirement to implement a comprehensive data-protection application powerful July 1, 2019, and the requirement to vet third-party provider companies behind schedule till July 1, 2020. The Michigan statute takes impact Jan. 20, 2021, with the responsibility to broaden a comprehensive information protection program delayed till Jan. 20, 2022, and the requirement to vet 1/3-birthday party provider carriers not on time till Jan. 20, 2023. The Ohio statute offers insurers two years to comply with necessities regarding 1/3-birthday party service companies, and 12 months to comply with the requirement to put in force a comprehensive records security program. Based on our enjoy assisting clients achieve compliance with the NYDFS requirements and comparable guidelines, protected entities need to begin their compliance efforts now to fulfill fast-coming near deadlines.