Since July 1, 2019, Delaware, New Hampshire and Connecticut have enacted laws imposing new cybersecurity requirements on insurers. These laws follow similar statutes already operating in at least six other states: Alabama, South Carolina, New York, Ohio, Michigan and Mississippi. Additional laws are likely in the coming year.
The latest laws and their predecessors are generally outgrowths of the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law (“Model Law”). NAIC issued its Model Law in 2017 and has strongly encouraged state insurance authorities to adopt similar security protections, absent similar existing legislation. The Model Law’s provisions call for insurers to develop a written cybersecurity program, investigate and quickly report data breaches, conduct risk assessments and annually certify their compliance with security provisions.
The provisions of each state’s insurance cybersecurity law differs, although they generally take the Model Law as a starting point. For example, both New Hampshire and Delaware relaxed the 72 hour notice deadline recommended in the Model Law and, instead, require notice be provided to the insurance commissioner within three business days of a cybersecurity event. Most of the new laws include requirements that insurers notify consumers when the consumers’ data is affected by an incident. The laws differ in terms of how long insurers have to provide consumer notice (e.g., Delaware requires insurers to provide consumers notice within 60 days of determining the consumers’ information has or may have been compromised). The laws differ with regard to the number of employees a company has to have to trigger coverage under the Model Law (e.g., companies with fewer than 15 employees may be exempt).
Insurers should assess their in-house cybersecurity programs for compliance across these states and monitor similar developments in those states that have as yet to pass similar laws. Some states, like New Hampshire, offer safe harbor protections for companies that comply with New York State’s Department of Financial Services’ (DFS) Cybersecurity Regulation. Given that the New York DFS Cybersecurity Regulation goes beyond the Model Law in some respects, ensuring security programs comply with that regulation may provide companies a good starting point in crafting security programs capable of addressing multiple states’ requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.