In late December, Ohio became the second state to adopt the National Association of Insurance Commissioners' (NAIC) Insurance Data Model Law, joining South Carolina in enacting cybersecurity requirements that insurers must follow. Lawyers said the law included largely agreed upon cybersecurity best practices, which if implemented nationwide could be an easier model for attorneys to follow, unlike a patchwork of regulations.

The South Carolina and Ohio laws closely mirror the National Association of Insurance Commissioners' Insurance Data Security Model Law, which was finalized by the association in 2017. The cybersecurity best practices recommended by the NAIC include board of director oversight, ongoing risk assessment, multifactor authentication and encryption. South Carolina implemented its law in April 2018, and Ohio's regulations are set to go largely into effect in a year.

Hunton Andrews Kurth partner Michael Levine said of the Ohio and South Carolina legislation, “This is another layer of protection for information that is provided to insurance companies and requires they adhere to the statue.”

The NAIC's law model comes as a response to a 2017 New York state law mandating financial companies implement multifactor authentication, compliance certification and other security controls.

Mayer Brown U.S. insurance regulatory practice chair Lawrence Hamilton said the New York law and the South Carolina and Ohio adoptions of the NAIC model law offers a much needed uniform cyber standard for insurers. 

However, Hamilton noted the Ohio law included an uncommon measure that provides a defense against torts brought in Ohio alleging the insurance company's lack of reasonable cybersecurity controls caused a data breach. An insurance company would have an affirmative defense to such a charge if they “satisfy” the provisions in the new law. A similar safe harbor is offered in an Ohio data breach notification law.

This new law comes days after a hackers group called “The Dark Overlord” alleged they had hacked insurers Hiscox, Lloyds of London and Silverstein Properties.

The Ohio legislation also includes a new amended definition of a cybersecurity event as an incident that causes unauthorized access or misuse of information “that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee.” 

“[Ohio] redefines cybersecurity event to include that phrase,” Hamilton explained. “They are recognizing you want to focus on those cybersecurity events that are really a threat or a threat to consumers.”

Jeffrey Taft, also a Mayer Brown partner, however, noted that changes to the NAIC's model law could make it difficult for insurance companies to use it as a base standard.

“States will make changes to the model law and make it less uniform with other states and require specific provisions to comply,” Taft said. “It's hard to comply with each individual jurisdiction; you usually end up complying with the most conservative jurisdiction.”

Still, while regulation uniformity across the nation may be preferred, lawyers said the NAIC's insistence on providing notification to regulators in 72 hours may not be practical.

“Seventy-two hours will take companies a bit of getting use to,” said Mayer Brown partner Marcus Christian. “Sometimes it takes more than 72 hours. Companies dealing with those types of crises, it isn't the first thing that comes to their minds, 'Let's talk to the regulators.'”

Nonetheless, Christian explained, a uniform law eases complexity for companies and increases customers' confidence and is seen as a positive measure.