Additional States Adopt Cybersecurity Requirements for Insurance Companies

Shawn Hanson, Michelle Reed
Akin Gump Strauss Hauer & Feld LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Akin Gump Strauss Hauer & Feld LLP

Since July 1, 2019, Delaware, New Hampshire and Connecticut have enacted laws imposing new cybersecurity requirements on insurers. These laws follow similar statutes already operating in at least six other states: Alabama, South Carolina, New York, Ohio, Michigan and Mississippi. Additional laws are likely in the coming year.

The latest laws and their predecessors are generally outgrowths of the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law (“Model Law”). NAIC issued its Model Law in 2017 and has strongly encouraged state insurance authorities to adopt similar security protections, absent similar existing legislation. The Model Law’s provisions call for insurers to develop a written cybersecurity program, investigate and quickly report data breaches, conduct risk assessments and annually certify their compliance with security provisions.

The provisions of each state’s insurance cybersecurity law differs, although they generally take the Model Law as a starting point. For example, both New Hampshire and Delaware relaxed the 72 hour notice deadline recommended in the Model Law and, instead, require notice be provided to the insurance commissioner within three business days of a cybersecurity event. Most of the new laws include requirements that insurers notify consumers when the consumers’ data is affected by an incident. The laws differ in terms of how long insurers have to provide consumer notice (e.g., Delaware requires insurers to provide consumers notice within 60 days of determining the consumers’ information has or may have been compromised). The laws differ with regard to the number of employees a company has to have to trigger coverage under the Model Law (e.g., companies with fewer than 15 employees may be exempt).

Insurers should assess their in-house cybersecurity programs for compliance across these states and monitor similar developments in those states that have as yet to pass similar laws. Some states, like New Hampshire, offer safe harbor protections for companies that comply with New York State’s Department of Financial Services’ (DFS) Cybersecurity Regulation. Given that the New York DFS Cybersecurity Regulation goes beyond the Model Law in some respects, ensuring security programs comply with that regulation may provide companies a good starting point in crafting security programs capable of addressing multiple states’ requirements.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:

Akin Gump Strauss Hauer & Feld LLP
Akin Gump Strauss Hauer & Feld LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Akin Gump Strauss Hauer & Feld LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide