By Joshua Mooney and Laura Schmidt
On October 24, 2017, the National Association of Insurance Commissioners (NAIC) passed its Insurance Data Security Model Law, intended to serve as model legislation for states to enact in order to govern cybersecurity and data protection practices of insurers, insurance agents, and other licensed entities registered under state insurance laws (defined therein as Licensees).
The Model Law applies to “Licensees” that handle, process, store or transmit “Nonpublic Information.” (Insurers that are acting as an assuming insurer domiciled in another state or jurisdiction and purchasing groups or risk retention groups that are licensed and chartered in another state are not “Licensees.”) The definition for “Nonpublic Information” (NPI) is broader than state laws that typically focus on personally identifiable information (PII), and closely follows the meaning of “Nonpublic Information” under the New York Department of Financial Service’s (NYDFS) recently enacted Cybersecurity Regulations, 23 NYCRR § 500.00 et seq. (NYDFS cyber regulations). NPI under the Model Law includes:
- business-related information of the Licensee that, if tampered with or disclosed, would have a material adverse impact on the Licensee’s business, operations or security;
- information concerning a consumer that, because of an identifier in combination with certain data elements, can be used to identify the consumer; and
- any information that is created by or derived from a heath care provider or consumer that qualifies as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).
In fact, a quick glance of the law reveals that its drafters were influenced significantly by the NYDFS cyber regulations. Like the cyber regulations, the Model Law requires Licensees to develop an information security program based upon a security assessment, and investigate and notify regulators of “Cybersecurity Events” the Licensee sustains. A drafting note in the law states that if a Licensee complies with the NYDFS’s cyber regulations, then the Licensee is deemed to comply with the requirements of the Model Law.
However, the Model Law also contains some noteworthy differences to the NYDFS cyber regulations regarding the establishment of an information security program and requirements for investigating and providing notice of a Cybersecurity Event.
Establishing an Information Security Program
Like the NYDFS cyber regulations, the Model Law requires insurers to develop an information security program designed to protect NPI and the Licensee’s information systems. The Licensee’s information security program must be based upon a risk assessment that identifies reasonably foreseeable internal or external threats (including the security of NPI and Information Systems accessible to or held by Third-Party Service Providers); the likelihood and potential damage of these threats; and the sufficiency of policies, procedures, Information Systems and other safeguards to manage these threats. Assessments and evaluations of cybersecurity risk must be included in the Licensee’s enterprise risk management process, and the Licensee must remain informed of emerging threats and vulnerabilities. Licensees also are required to develop an incident response plan to address a Cybersecurity Event.
Consistent with the NYDFS cyber regulations, the Model Law expressly imposes responsibility upon the Licensee’s board of directors to oversee the Licensee’s management of cybersecurity risk. The board of directors must direct senior management to develop, implement and maintain the information security program, and receive an annual report on the status of the entity’s information security program, including further assessments and third-party service provider arrangements. Gone are the days when cybersecurity was an IT or CIO problem. By expressly imposing responsibility upon the Licensee’s board of directors, the Model Law increases the directors’ and officers’ exposure should a cybersecurity incident occur. Like the NYDFS cyber regulations, the Model Law also requires the Licensee to certify in writing to the state commissioner every February 15 that its information security program complies with the law’s requirements. Like under the cyber regulations, if there are areas, systems, or processes that need improvement or are noncompliant, the Licensee must address the issue and identify remedial efforts that are planned or underway to remedy such issues.
Despite similarities between the Model Law and the NYDFS cyber regulations for establishing an information security program, there also are some material differences. The Model Law allows the information security program to be “commensurate with the size and the complexity of the Licensee, the nature and scope of the Licensee’s activities (including the use of third-party vendors), and the sensitivity of the NPI in the Licensee’s possession, custody, or control[.]” This qualifier is more akin to information security requirements under HIPAA than the NYDFS cyber regulations.
The Model Law also requires the Licensees to implement a risk management program to mitigate identified risks, but the program may be custom-tailored to the size and complexity of the Licensee. The Model Law identifies several security measures that the Licensee may implement if it determines the measures are appropriate, including using effective controls for individual access to NPI, implementing audit trails within the program to detect cybersecurity events, and instituting measures to protect against the loss, destruction or damage to NPI due to environmental hazards.
Additionally, The Model Law provides that the Licensee’s information security program must include the oversight of third-party service providers. However, unlike the NYDFS cyber regulations, the Model Law does not expressly require a Licensee to develop policies and procedures for conducting due diligence and oversight over third party service providers. Instead, Licensees only must exercise due diligence in selecting third-party service providers and require such providers to implement administrative, technical, and physical measures to protect and secure the Licensee’s NPI to which it has accesses or possession.
Investigation and Notification of a “Cybersecurity Event”
The Model Law requires Licensees to promptly investigate “Cybersecurity Events.” The Model Law is similar to the NYDFS cyber regulations in that it requires a Licensee to notify the state insurance commissioner no later than 72 hours from a determination that a Cybersecurity Event. However, there are material differences between the NYDFS cyber regulations and the Model Law for notice requirements.
First, the criteria for triggering notice under the Model Law are broader. Notice under the Model Law is required if the insurer is domiciled in the state in which the Model Law was enacted; or if the Licensee reasonably believes that the NPI involved is of 250 or more consumers residing in the state, and either: (a) the Licensee is required to provide notice of the Cybersecurity Event to any government body, self-regulatory agency or any other supervisory body pursuant to any state or federal law; or (b) there is a “reasonable likelihood” of the Cybersecurity Event materially harming: (i) any Consumer residing in the state; or (ii) any material part of the normal operations of the Licensee. Under the NYDFS cyber regulations, notice is required only if the Cybersecurity Event requires notice to any government body, self-regulatory agency or any other supervisory body; or if the Cybersecurity Event has a “reasonable likelihood” of materially harming any Covered Entity’s normal operations.
Second, the Model Law has a narrower definition for “Cybersecurity Event.” Whereas the NYDFS cyber regulations defines a “Cybersecurity Event” as “means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System,” the Model Law defines the term as “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System” (emphasis added). Under the Model Law, a Licensee also must conduct an investigation if it learns that a Cybersecurity Event occurred or may have occurred in a system maintained by one of its third-party vendors.
Any investigation must be geared toward determining: (1) whether a Cybersecurity Event occurred; (2) the nature and scope of the event; (3) the NPI implicated or compromised; and (4) necessary measures to restore the security of the Licensee’s Information Systems.
Third and finally, the Model Law recognizes the unique business to business relationships that exist within the insurance industry by including different notification requirements for reinsurers to insurers and insurers to producers of record.
Quick Takeaways
Regulators and lawmakers are identifying standards in cybersecurity that companies should be implementing to protect business operations and consumer information. The NAIC’s Model Law joins a growing group of laws and regulations instituted by New York, Connecticut, Massachusetts, Colorado, and Vermont that specifically require companies to institute cybersecurity programs, policies, and procedures. The Model Law has many similarities with the NYDFS cyber regulations, but there are some differences. Both regimes recognize that protecting critical business operations is just as important as protecting consumers information.
These laws and regulations will serve as a roadmap for plaintiffs and shareholders pursuing civil litigation against Licensees. The FTC also can be expected to look to these laws when determining whether a company engaged in “deceptive” or “unfair” practices. Companies that fail to implement these standards can expect enforcement, and perhaps significant fines. For some companies, a regulatory enforcement action piled on to the effects of a data breach or ransomware-type event can mean the difference between recovery and bankruptcy. Now is the time to act. Brokers and insurers should start preparing for cybersecurity compliance by conducting necessary risk assessments and building a solid information security program.