On May 1, 2019, Governor Kay Ivey signed Alabama S.B. 54 into law, making Alabama the latest state to pass a law mandating heightened standards within the insurance industry for cybersecurity and data privacy. The Insurance Information Security Program Requirement applies specifically to insurers and other entities licensed by the Alabama Department of Insurance (DOI). The law requires insurers to develop and implement an information security program, report certain cybersecurity events to the Commissioner of Insurance (Commissioner), and provides for civil penalties under certain conditions.

S.B. 54 is based on the Insurance Data Security Model Law of the National Association of Insurance Commissioners (NAIC). (See our January 3, 2019, post for more information on the NAIC Model Law). The NAIC Model Law outlines a framework of generally accepted best practices in information security, as well as a legal framework for requiring insurance companies to implement such programs.

The law was enacted on May 1, 2019, however, licensees have one year, or until May 1, 2020, to implement the statute's information security requirements, and until May 1, 2021, to implement the statute's required controls for third-party service providers. Entities not regulated by the DOI are not impacted by the new law, but must still comply with Alabama's current cybersecurity law Ala. Code. Sec. 8-38-1 – 8-38-12.

S.B. 54 expands upon Alabama's existing data privacy laws for insurers by a) differentiating the definition of personal information, b) requiring notification to the Commissioner for cybersecurity events, c) requiring that applicable insurers develop, implement and maintain a written information security policy, and d) expanding the power of the Commissioner to monitor compliance and execute penalties for non-compliance.

Definition of Personal Information

Under the law, Alabama insurers will be subject to a new definition of personal information. "Nonpublic information" refers to any electronic information that is not publicly available concerning a consumer which, because of the name, number, or other identifier, can be used to identify the consumer in combination with any of the following elements:

  • Social Security number;
  • Driver's license number or Alabama identification card number;
  • Financial account number, credit card, or debit card number;
  • Security code, access code, or password that would permit access to a consumer's financial account;
  • Biometric records;
  • Any information or data, except age or gender, derived from a health care provider that can be used to identify a particular consumer that relates to:
    • Past, present, or future physical, mental, or behavioral health of a consumer or member of the consumer's family,
    • Provision of health care to any consumer, or
    • Payment for the provision of health care to any consumer.

Cybersecurity Event Notification and Investigation

Under Alabama's existing law, notification is not required if, after a prompt investigation in good faith, it is determined that a breach of security is not reasonably likely to cause substantial harm to those individuals whose information was involved. Additionally, written notice must be made to the Alabama Office of the Attorney General only in the event that the number of affected individuals exceeds 1,000. Under the new law, DOI-regulated entities must notify the Commissioner "as promptly as possible" but no later than three business days from a "determination that a cybersecurity event involving nonpublic information that is in the possession of the licensee has occurred." Additionally, if a licensee learns that a cybersecurity event may have occurred, it shall conduct a prompt investigation pursuant to the statute. If the information affected by the breach was contained in a system maintained by a third-party vendor, the licensee must still complete these steps, or confirm and document that the third-party undertook them.

Additional Provisions and Exceptions

Additionally, the new law requires that licensees must maintain and implement a written information security program, including an incident response plan. Penalties for non-compliance can be levied by the Commissioner, and it is within the purview of the Commissioner to examine and investigate to determine if a licensee is in violation of the provisions of the law.

There are some exceptions for qualifying businesses. For example, companies with fewer than 25 employees, less than $5 million in gross annual revenue, less than $10 million in year end total assets, or those that can provide a written statement that they are HIPAA compliant, are exempt from the provisions of the new law.

Businesses regulated by the Alabama Department of Insurance should regularly review their policies and procedures for compliance with this heightened standard. Lewis Brisbois can assist with the development of information security programs, and incident response plans, tailored to your organization's needs to ensure your business is prepared to respond quickly and effectively to a data security, privacy, or other cyber incident.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.