Three states currently enacted variations of the National Association of Insurance Commissioner’s (NAIC) Insurance Data Security Model Law (MDL-668), primarily based on the landmark cybersecurity requirements issued utilizing the New York Department of Financial Services (NYDFS) in March 2017. The NYDFS requirements follow positive banking, insurance, and monetary carrier entities certified within the kingdom of New York. The legislative fashion primarily based on the NAIC version regulation prescribes special cybersecurity necessities for insurance-related entities. South Carolina led the %, enacting the Insurance Data Security Act in May 2018. Ohio and Michigan accompanied fit in December.
Common provisions. The NAIC model law and its three enacted versions contain common remarkable provisions: A broad definition of nonpublic information. Like the NYDFS necessities, the insurance legal guidelines outline “nonpublic statistics” extensively. The definition includes not simplest personal records, however also “commercial enterprise-related information” that, if affected in an incident, would motive a “materially adverse effect” to the entity’s enterprise, operation, or safety. As just one example, a ransomware event that cripples an entity’s enterprise operations would, in all likelihood, cause a note duty even if the event did now not involve private records. Other states appear poised to don’t forget comparable regulation.
Information-safety program requirements. The legal guidelines require groups to complete ongoing risk exams; adopt threat-primarily based, written statistics-security programs; put into effect written incident-reaction plans; and set up business enterprise cybersecurity governance with board oversight. Covered entities must also demonstrate suitable oversight of third-party carrier carriers.- Confidentiality provisions. The legal guidelines include huge confidentiality provisions—responsive material supplied utilizing covered entities is exempt from public statistics requests or subpoenas, and it’s miles inadmissible in a private civil action. State variations. The kingdom variations vary significantly from the version law on breach notification requirements and exemptions for smaller entities. Ohio’s law additionally consists of a novel defense that gives a “safe harbor” to entities that comply with certain cybersecurity frameworks.
Breach notification necessities. Covered entities that experience a information breach or “cybersecurity occasion” should notify their respective kingdom insurance regulator if South Carolina, Ohio, or Michigan is the insurer’s home kingdom or if the event impacts 250 or extra state citizens. However, the attention closing dates vary beneath every statute. South Carolina calls for the kingdom coverage director to be aware within seventy-two hours of detecting a cybersecurity occasion. Licensees in Ohio may have 3 commercial enterprise days to file cybersecurity occasions to the country superintendent. The Michigan statute gives the maximum beneficiant note closing date, giving licensees 10 commercial enterprise days to report cybersecurity occasions. Recognizing that details are regularly limited within the early days of an incident, each nation requires material updates as the investigation progresses.
The version regulation and state versions exempt smaller entities from certain duties. The version law exempts entities with fewer than 10 employees from the law’s data-security software necessities (but not from the incident investigation and note provisions). Like the model law, the Michigan and Ohio laws exempt small entities from the statistics-protection software requirements handiest. Michigan’s regulation exempts entities with fewer than 25 employees, even as Ohio’s regulation exempts entities with fewer than 20 personnel, less than $5 million in gross annual sales, or much less than $10 million in overall belongings on the top of the business’s economic yr. By evaluation, South Carolina’s law exempts entities with fewer than 10 personnel from compliance with the complete law (but those entities will still be difficult to popular kingdom breach notification laws).
