Major data breaches in recent years are spurring state legislators and regulators across the US into action. Of particular concern to state-level policymakers and enforcement authorities are business practices that in their view may contribute to security incidents.
The insurance industry has not been immune from such scrutiny, and the imposition of business practice requirements intended to enhance cybersecurity sector-wide. For example, the New York Department of Financial Services (‘NYDFS’) in March 2017 issued its Cybersecurity Regulation (23 NYCRR 500) (‘the NYDFS Cybersecurity Regulation’), a groundbreaking and far-reaching regulatory regime focused on financial institutions licensed in New York, including insurance companies. Later that year, the National Association of Insurance Commissioners (‘NAIC’) adopted its Insurance Data Security Model Law (‘the NAIC Model’) as a framework cybersecurity law for the insurance industry. Additionally in 2017, Connecticut passed legislation requiring that health insurers, third-party administrators, and related entities implement and maintain a comprehensive information security program with specific minimum requirements to protect insureds’ personal data.
Now various state legislatures, with a boost from the NAIC and New York activity, are increasingly focusing on the insurance sector. Three States – Ohio, Michigan, and South Carolina – have recently enacted into law variations of the NAIC Model. More states are sure to follow.
To date, state legislatures have hewn fairly closely to the NYDFS and NAIC approaches, avoiding the enactment of conflicting requirements that might make compliance materially more burdensome and complicated. This is a promising trend for insurers with multi-state operations, but vigilance is warranted, particularly in light of the very active state legislative and enforcement environment in this area¹. Furthermore, in light of the current legislative debate over the value of federal preemption to help ensure consistency of privacy and data security regulation, all sectors may find of interest the progress and practical impact of state-level insurance cybersecurity regulation in the US.
NYDFS: Setting a new bar for state cybersecurity regulation
The NYDFS Cybersecurity Regulation requires covered entities – banks, insurance companies, and other financial services institutions – to implement a wide range of practices to manage cybersecurity risk.
The NYDFS Cybersecurity Regulation is groundbreaking in several ways, including for the granularity of its requirements. To date, most other state data security laws have required covered entities to implement ‘reasonable’ data security without much specificity as to what must be done to meet that standard². At the federal level, the Gramm-Leach-Bliley Act of 1999 (‘GLBA’), which state insurance commissioners oversee through their own respective state laws and regulations³, takes a process-oriented approach to data security requirements, eschewing specificity. In contrast, the NYDFS Cybersecurity Regulation specifies in considerable detail the policies, procedures, and safeguards that a covered entity must implement based on risks and vulnerabilities identified during periodic cybersecurity risk assessments.
The NYDFS Cybersecurity Regulation also expands the scope of covered data, by defining ‘non-public information’ to include not only the types of information traditionally covered by other data security laws, including data breach notification laws, but also other data for which compromise poses a material risk to the business or its operations.
Additionally, the NYDFS Cybersecurity Regulation requires breach reporting within 72 hours to the NYDFS. Reporting obligations are triggered by an incident affecting any information a covered business maintains that could be reasonably likely to materially harm operations, or that triggers some other regulatory notification⁴.
The NAIC Model reflects the NYDFS Cybersecurity Regulation, and offers states a common approach
The NAIC’s Model Law is intended to apply to any individual or nongovernmental entity that is licensed, authorised, or registered under insurance laws, as well as industry service providers (licensees). It is notable that a NAIC taskforce had been evaluating industry cybersecurity standards since 2015, but following the enactment of the NYDFS Cybersecurity Regulation, the taskforce substantially revised its planned approach to mirror the NYDFS Cybersecurity Regulation’s terminology and requirements⁵.
The NAIC Model, which leverages and builds on core GLBA and NYDFS Cybersecurity Regulation requirements, includes requirements to:
- Develop, implement, and maintain a comprehensive, risk-based information security programme: The programme must encompass administrative, technical, and physical safeguards to protect non-public consumer information and the licensee’s information systems. The chosen safeguards should be commensurate with the size and complexity of the business, as well as responsive to the risks identified during regular risk assessments. Like the NYDFS Cybersecurity Regulation, covered information (i.e., nonpublic information) under the NAIC Model is broader than the personal information historically covered by the GLBA and state data security laws.
- Implement appropriate security measures: The NAIC Model offers a list of common security measures that each licensee should implement as appropriate. Such measures include access limitations, multi-factor authentication, encryption of non-public information during transit and on portable devices, intrusion detection mechanisms, audit trails, data retention and disposal practices, and disaster recovery and business continuity plans.
- Have an incident response plan: Each licensee must have a written incident response plan designed to promptly respond to and mitigate any cybersecurity incident. The NAIC Model contains specific plan requirements, such as internal response processes, clearly defined roles and decision-making authority, managed internal and external communications, incident documentation procedures, and mechanisms for post-incident revision and remediation.
- Report cybersecurity events: The NAIC Model provides a very detailed process by which a licensee must notify the state insurance commissioner of ‘cybersecurity events.’ An event must be reported to the state regulator if either (i) the state is the insurance licensee’s state of domicile or its home state; or (ii) the compromise of non-public information of at least 250 state residents requires reporting pursuant to another applicable law, or creates a reasonable likelihood of material harm to a consumer or business operations. Reporting must occur within 72 hours of discovering the event. Licensees must retain for five years all records concerning a cyber event, and must make those records available to the commissioner upon request.
- Train employees: Licensees must provide security awareness training to employees. Licensees are also responsible for monitoring legal and threat developments in the cybersecurity landscape and for updating their training program (as well as security safeguards) to reflect these developments.
- Involve the board: Under the NAIC Model, a licensee’s board of directors is ultimately responsible for overseeing the information security program. The board must receive an annual report on the overall status of the security program.
- Conduct planned security assessments: The NAIC Model requires licensees to ‘no less than annually, assess the effectiveness of the safeguards’ key controls, systems, and procedures.’ This broad language leaves room for variances at the state level for tighter timeframes or more specific required testing. For example, the NYDFS Cybersecurity Regulation requires annual penetration testing and vulnerability scanning, which are two of the many types of assessments that might satisfy the NAIC Model requirement.
- Oversee vendors: Licensees must exercise due diligence by vetting vendors prior to onboarding, and must contractually require vendors to implement appropriate safeguards to protect non-public consumer information and information systems. If a cyber event occurs within a vendor’s systems, licensees must launch an investigation to gather information about and document the event.
- Certify compliance annually: Licensees must annually certify their compliance with the applicable state law with the state insurance commissioner. Additionally, licensees must retain for five years all records, schedules, and data supporting their compliance.
Additionally, the NAIC Model offers an exception that presumably is intended to facilitate greater cooperation and information sharing with the state insurance department by licensees about threats and security incidents. Any materials acquired by the state insurance department in the course of enforcing the state law are deemed privileged and confidential, and thus would not be subject to the Freedom of Information Act of 1966 or subpoena, nor would such information be discoverable or admissible as evidence in a lawsuit.
Recent state actions
While influential on its own, the NAIC Model is meant to be enacted into law. Upon approving the NAIC Model in October 2017, the NAIC called upon ‘legislatures or regulatory bodies to adopt [the NAIC Model], with as few changes as possible, in a majority of states within three years.’ To date, South Carolina, Ohio, and Michigan have adopted a version of the NAIC Model. Thus far, the state laws closely follow the NAIC Model, but with some differences in the details.
The South Carolina Insurance Data Security Act (‘the South Carolina Bill’) was signed into law on 3 May 2018 and became effective on 1 January 2019, with delayed enforcement of the written information security and vendor management programmes until 1 July 2019 and 1 July 2020, respectively. The South Carolina Act requires that insurers, agents, and other licensed entities doing business in the State implement a comprehensive written information security program that is appropriate to the size of the licensee, the licensee’s activities, and the sensitivity of consumer information the licensee handles. The South Carolina Act maintains the 72-hour breach reporting deadline to the insurance regulator, and generally aligns with the NAIC Model. The Director of the South Carolina Insurance Department is empowered to issue regulations to implement the South Carolina Bill, a provision included in the NAIC Model.
On 19 December 2018, Ohio became the second State to adopt a law based on the NAIC Model. Ohio Senate Bill 273 (ORC §§3965.01-11) (‘the Ohio Bill’) is enforceable on 20 March 2020, but allows licensees an additional year to implement the written information security program and an additional two years to establish a vendor management programme. The Ohio Bill generally mirrors the NAIC Model, including by imposing a breach reporting deadline of three business days, but with two notable differences. First, a licensee in compliance with the Ohio Bill has an affirmative defense to an Ohio tort claim that alleges the company’s lack of reasonable cybersecurity controls caused a data breach. Ohio’s cyber ‘safe harbour’ is a first-of-its-kind measure. Over time, such safe harbours could become useful legislative tools to encourage companies to invest in compliant information security programs. Second, the Ohio Bill specifies that, as to insurance licensees, it ‘constitutes the exclusive state standards and requirements applicable to cybersecurity events, the security of nonpublic information, data security, investigation of cybersecurity events, and notification to the superintendent of cybersecurity events.’ The exclusivity provision does not appear to rule out the applicability of Ohio’s breach notification rules for individual notification, which the Ohio Bill does not address. As with South Carolina, the Ohio Superintendent of Insurance can issue regulations as necessary to carry out the Ohio Bill.
On 28 December 2018, Michigan became the third state to adopt a law based on the NAIC Model with Michigan House Bill 6491 (MCL §500.550) (‘the Michigan Bill’). The Michigan Bill is nearly identical to the South Carolina Bill. However, the Michigan Bill gives licensees ten business days from determination of a cyber incident to notify the State regulator, a generous deviation from South Carolina’s 72-hour rule. The Michigan Bill is enforceable as of 20 January 2021, with delayed enforcement of one year for the written information security program provisions and two years for the vendor management program provisions.
Like the NAIC Model, the South Carolina Bill, the Ohio Bill, and the Michigan Bill do not supersede existing state breach notification rules for notification thresholds, and content requirements for individual consumer data breach notifications. However, these new bills do contain slight, but important, variations for state insurance regulator notifications. Following the NAIC Model, the South Carolina Bill calls for reporting to the State regulator if either (i) South Carolina is the insurance licensee’s state of domicile or home state; or (ii) the compromise of nonpublic information of at least 250 South Carolinians requires reporting pursuant to another applicable law or creates a reasonable likelihood of material harm to a consumer or business operations. Ohio and Michigan take a slightly different approach, in that the risk of harm threshold applies even where notice is based on the state being the licensee’s domicile or home state. The NAIC Model, the Ohio Bill, the Michigan Bill, and the South Carolina Bill all have detailed content requirements for the notices.
In contrast, the NYDFS Cybersecurity Regulation requires notice of cybersecurity events to the NYDFS only when the event must be reported pursuant to another applicable law, or is reasonably likely to cause material harm to normal operations of the business. It does not separately include an assessment of harm to consumers. The NYDFS Cybersecurity Regulation also does not include detailed content requirements for notices.
What’s next?
It is reasonable to expect additional states to move forward with similar legislative initiatives focused on insurance sector cybersecurity. It is unclear how quickly this will occur, and whether forthcoming state laws will remain reasonably consistent with the NAIC Model. At the time of publication, relevant legislative activity is underway in at least Rhode Island, Mississippi, Nevada, New Hampshire, and Oregon, and in addition, the Washington State Office of the Insurance Commissioner included adoption of the NAIC Model in its 2019 legislative agenda.
What is also notable is the effect that the NYDFS Cybersecurity Regulation and the NAIC Model are having on federal regulators. On 5 March 2019, the Federal Trade Commission (‘FTC’) announced it will be seeking comments on proposed amendments to its GLBA Security Rule, which currently imposes high-level, process-oriented requirements. In proposing more expansive requirements, the FTC expressly acknowledged the influence of the NYDFS Cybersecurity Regulation and the NAIC Model⁶.
To remain compliant, insurance industry licensees will need to continue monitoring state developments and updating their information security programmes as new requirements and variants of existing requirements are enacted.
This article was first published in DataGuidance (April 2019).
Authored by Harriet Pearson, Timothy Tobin and Morgan Perna
[1] Uber’s agreement in September 2018 to pay a record $148 million to settle a state attorneys general data breach investigation is a noteworthy example of such enforcement activity.
[2] While some state insurance laws and regulations have included data security provisions for some time, the first detailed state data security requirements were in the Massachusetts Data Security Regulation of 2010. See 201 CMR 17.00. The Massachusetts Data Security Regulation of 2010 is of general applicability and is not sector-specific. It prescribes that companies have a written information security programme with appropriate vendor oversight and technical security controls, but the NYDFS Cybersecurity Regulation and the NAIC Model Law are even more detailed in their requirements for financial institutions and insurance companies, and apply to a broader set of data.
[3] In recognition of the McCarran-Ferguson Act of 1945, which exempts the business of insurance from most federal regulation, the GLBA specifies that ‘[n]othing in this paragraph shall be construed to alter, affect, or otherwise limit the authority of a State insurance authority to adopt regulations to carry out this subchapter,’ i.e., the GLBA data security provisions. See 15 USC §6804(a)(1)(D), and 15 USC §6701 (clarifying that the McCarran-Ferguson Act of 1945 remains the law of the US).
[5] While the NAIC Model still differs from the NYDFS Cybersecurity Regulation in some respects, to address concerns about such inconsistency the NAIC Model states that licensees in compliance with the NYDFS Cybersecurity Regulation are deemed to be in compliance with the NAIC Model.
