In the United States, a significant legislative trend is on the horizon for insurers in 2020: a new breed of state privacy and cybersecurity laws. In the absence of federal intervention, a growing number of state legislatures are enacting laws and regulations modeling California’s Consumer Privacy Act for all businesses, and, in parallel, prescribing privacy and cybersecurity requirements directed at insurers. To help insurers stay ahead of the curve, we summarize below several cybersecurity measures set to go into effect later this year.
The trend began with New York. The New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies (Part 500) was enacted in 2017, and took full effect on March 1, 2019. Initially, it stood as the first cybersecurity regulation broadly directed at financial services companies, including insurers.
Shortly thereafter, however, and in anticipation of further legislative activity in this area, the National Association of Insurance Commissioners (NAIC) (the industry’s state-based standard-setting organization) collaboratively proposed a “Data Security Model Law” to help harmonize cybersecurity requirements for insurers. Eight states thus far have since adopted a version of the NAIC’s Model Security Law.
Elements of a Model Security Law
Although differences exist, each state version of NAIC’s Model Security Law requires insurers to do the following:
- Conduct a risk assessment and implement and maintain a cybersecurity program that is based on identified risks;
- Develop, implement, and maintain incident response plan;
- Provide oversight of third-party service providers;
- Investigate and report data security incidents; and
- Certify compliance with the respective law/model regulation.
Primary differences among the laws and the Model Security Law relate to the definitions of cybersecurity events and notifications, the scope of certain exemptions, and certain prescriptive requirements outlined in New York’s Cybersecurity Regulation.
Regulatory Transition Period
The NAIC’s Model Security Law generally allows for two transition periods so insurers have time to implement the new administrative, technical, and physical regulatory requirements. The first transition period covers the actual security program requirements, and the second transition period covers requirements to ensure third party safeguards. South Carolina was the first state to adopt the Model Security Law with its first transition period ending on July 1, 2019, and the requirements related to third party safeguards scheduled to take effect on July 1, 2020.
Model Security Law Deadlines
Below is the full set of deadlines (in deadline order) for both the security program and third-party safeguards in each of the states that have adopted a version of the NAIC’s Model Security Law.
|#||Phase 1 “Security” Deadline||Phase 2 “Third Party” Deadline||State||Comments|
|1||July 1, 2019||July 1, 2020||South Carolina||July 1, 2019 is deadline for implementing a comprehensive, written information security program. February 15, 2020 is deadline for each insurer domiciled in South Carolina to annually submit a written statement certifying compliance. By July 1, 2020, insurers must have implemented requirements for third-party service providers.|
|2||March 30, 2020||March 20, 2021||Ohio|
|3||April 25, 2020||April 25, 2021||Alabama|
|4||July 1, 2020||July 1, 2021||Mississippi|
|5||July 31, 2020||July 31, 2021||Delaware|
|6||October 1, 2020||October 1, 2021||Connecticut|
|7||January 1, 2021||January 1, 2022||New Hampshire|
|8||January 20, 2022||January 20, 2023||Michigan|
We can expect to see additional states enacting Model Security Laws in 2020. In fact, on January 29, 2020, Assembly Bill 819, which follows the Model Security Law, was introduced in the Wisconsin State Assembly. Insurers should also expect states to introduce other legislation targeted at data security as state legislatures go in session for this year. To learn more about these regulatory trends impacting insurers, visit the NAIC’s website at https://www.naic.org/.