South Carolina Is First State to Adopt Insurance Cybersecurity Requirements
Because of the multi-state nature of the insurance industry, major insurance licensees will likely adopt stringent cybersecurity compliance programs.
March 27, 2019 at 09:00 PM
7 minute read
The original version of this story was published on Law.com
In October 2017, the NAIC adopted an Insurance Data Security Model Law that builds on existing data privacy and consumer breach notification obligations. The Model Law requires every insurance licensee in a state (unless they qualify for an exemption) to maintain a written cybersecurity policy and implement a risk-based cybersecurity program. The Model Law also requires a licensee to satisfy specific requirements related to:
- Risk assessment and management;
- Oversight of third-party service providers;
- Incident reporting, investigation and notification;
- Annual certification, and;
- Exceptions (if eligible).
In the United States, the business of insurance is regulated primarily at the state level. That means that the Model Law will not actually apply to a licensee unless and until it is enacted into law by a jurisdiction where that licensee is licensed.
The Model Law has strong similarities to the 2017 cybersecurity regulation issued by the New York Department of Financial Services (NYDFS), so insurance licensees in New York should already have a good handle on compliance. In fact, a drafting note to the Model Law states that the NAIC intends for compliance with the New York regulation to satisfy a licensee's obligations under the Model Law.
The Model Law is intended to apply to more than just insurers, and includes in its scope most other types of business entities and individual professionals that are licensed under a state's insurance law — including insurance agents and brokers. However, the Model Law excludes from the definition of licensee purchasing groups or risk retention groups that are chartered and licensed in another state, and insurers that are only assuming business in the state as reinsurers and are domiciled in another state. This definition — like all aspects of the Model Law — may be further tailored by individual states as they adopt the Model Law.
|2018 implementation progress
In 2018, the Model Law was enacted in only three states: South Carolina, Ohio and Michigan. It is worth looking at the unique twists and turns of each state's version of the Model Law.
South Carolina
In May 2018, South Carolina became the first state to enact the Model Law, and its version is practically identical to the NAIC's Model Law. The only meaningful differences is that South Carolina adopted language stating that the law does not create, “any duty or liability for a provider of communication services for the transmission of voice, data, or other information over its network.”
The South Carolina law took effect on Jan. 1, 2019, and requires compliance by July 1, 2019 for most provisions and July 1, 2020 for provisions related to third-party service providers.
Ohio
In December 2018, Ohio became the second state to enact the Model Law, and its version is substantially similar to the Model Law. Most of the differences between Ohio's version and the Model Law are non-substantive, but four are worth paying attention to.
First, Ohio narrowed the Model Law's definition of a “cybersecurity event” by requiring that in order to qualify as a such an event, an incident that causes unauthorized access or misuse of information must also have, “a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee.” That narrowing of the definition means that licensees should primarily focus on threats that are truly a threat to consumers or the licensee.
Second, Ohio altered the Model Law's approach to cybersecurity event notifications by changing the notification deadline from 72 hours after identifying that a reportable incident has occurred to three business days.
Third, Ohio expanded the Model Law's exemptions for small licensees. The Model Law exempts licensees with fewer than 10 employees, but Ohio's version exempts licensees with fewer than 20 employees, or with less than $5 million in annual gross revenue, or with less than $10 million in assets.
Fourth, Ohio added a new clause that provides an express defense against torts claims brought in Ohio that allege that an insurance licensee's lack of reasonable cybersecurity controls caused a data breach. Under this measure, an insurance licensee will have an affirmative defense to such a lawsuit if it has satisfied the requirements of the new law. A similar safe harbor is offered in an Ohio data breach notification law that was also enacted in 2018.
The Ohio law takes effect on March 20, 2019, and requires compliance by March 20, 2020 for most provisions and March 20, 2021 for provisions related to third-party service providers.
Michigan
Also in December 2018, Michigan became the third state to enact the Model Law, and its version is substantially similar to the Model Law. As with Ohio, most of the differences between Michigan's version and the Model Law are non-substantive, but two are worth paying attention to.
First, Michigan altered the Model Law's approach to cybersecurity event notifications by extending the notification deadline from 72 hours after identifying that a reportable incident has occurred to 10 days, and embedding a consumer notification requirement in the law that is based on Michigan's ID Theft Prevention Act.
Second, Michigan expanded the Model Law's exemption for small licensees. The Model Law exempts licensees with fewer than 10 employees, but Michigan's version exempts licensees with fewer than 25 employees (including any independent contractors).
The Michigan law takes effect on Jan. 20, 2021, and requires compliance by Jan. 20, 2022 for most provisions and Jan. 20, 2023 for provisions related to third-party service providers.
|2019 prospects and beyond
While there have been no significant surprises to date in state enactments of the NAIC's Insurance Data Security Model Law, insurance licensees will need to track and analyze each new enactment as it occurs to identify any new, more stringent requirements. It is likely that multi-state and nationwide licensees will determine it is most efficient and cost-effective to adopt the “least common denominator” approach by complying enterprise-wide with the most stringent information security requirements imposed by any state in which the licensee is licensed.
Versions of the Model Law have been introduced in the Connecticut, Mississippi, Nevada, New Hampshire and Rhode Island legislatures. But it remains to be seen how states with existing, non-Model Law insurance cybersecurity requirements will respond to the roll-out of a nationwide standard.
Importantly, the Model Law has been well received at the federal level, with the Department of the Treasury, in its October 2017 Report on Asset Management and Insurance, strongly endorsing the model law and recommending that Congress consider adopting federal legislation that would preempt state law if the Model Law is not adopted within five years.
We expect that states will continue to enact the Model Law in 2019 and beyond. Because of the multi-state nature of the insurance industry, major insurance licensees will likely adopt compliance programs that satisfy the most stringent version of the Model Law that applies to their operations, while smaller non-insurer licensees (such as insurance producers) will likely adopt the compliance programs of the insurers with which they are affiliated.
Lawrence R. Hamilton ([email protected]) is a partner at Mayer Brown LLP in Chicago.
Jeffrey P. Taft ([email protected]) is a partner at Mayer Brown LLP in Washington, D.C.
Matthew Bisanz ([email protected]) is an associate at Mayer Brown LLP in Washington, D.C.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllAtlanta Attorneys Rely on Google Earth, YouTube for Evidence in $6M Faulty Guardrail Settlement
Troutman, Womble Bond Mergers This Year Created New Am Law 100 Firms
5 minute readAs Atlanta Partners Moved to Am Law 200 Firms at a Higher Rate in 2024, 2 New Arrivals Benefited
6 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250