Cyber-attacks and data breaches in the insurance sector are increasing exponentially as industry players shift to and invest in digital applications, platforms, and other advanced digital analytic systems that collect and utilize vast amounts of consumer personally identifiable information (“PPI”).

On October 24, 2017, the National Association of Insurance Commissioners[1] (“NAIC”) adopted the Insurance Data Security Model Law (“Model Law”), which creates uniform rules for insurers, brokers, agents, and other licensed entities regarding data security, investigation, and notification of breach. The central purpose and goal of the Model Law is to provide baseline requirements and encourage relative congruity between the current patchwork of state cybersecurity laws. The Model Law closely tracks[2] the New York State Department of Financial Services’ (NYDFS) recently enacted cybersecurity regulations[3] for financial services companies. In fact, a drafting note in the Model Law states that the drafters intend for compliance with the NYDFS cybersecurity regulations to be compliance with Model Law.

This article will provide a general summary of noteworthy provisions in the Model Law and discuss key takeaways and considerations for the insurance industry.

Definitions and Scope of the Model Law

Licensee

A “Licensee” is defined as any person who is (or required to be) licensed, authorized to operate, or registered pursuant to the respective state’s insurance laws, including insurers, brokers, agents, and any other insurance regulated entities. The definition expressly excludes: (i) out-of-state purchasing groups or risk retention groups, and (ii) out-of-state Licensees who are only acting and assuming business as a reinsurer.

Nonpublic Information

“Nonpublic Information” is defined as any information not generally available to the public, including: (i) a Licensee’s business-related information the tampering or unauthorized disclosure, access or use of which would cause a material adverse impact to the Licensee’s business, operations, or security (e.g., intellectual property, proprietary information, trademarks); (ii) any information concerning a consumer that can be used to identify the consumer, in combination with certain data elements (e.g., PPI); and, (iii) any information or data derived from a health care provider or consumer that also relates to certain health care information (except age and gender).

Consumer

A “consumer” is defined as any individual who is a resident of the respective state and whose nonpublic information is in a Licensee’s possession, custody, or control. This includes, but is not limited to, applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders.

Cybersecurity Event

A “cybersecurity event” is defined as any event or act that results in the unauthorized access to, or disruption or misuse of, an electronic information system or information electronically stored on an electronic information system. Importantly, the definition expressly excludes: (i) the unauthorized acquisition of encrypted nonpublic information, unless the encryption, protective process, or key is also acquired, released or used without authorization; and (ii) a circumstance wherein a Licensee determines that electronic nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

Important note: a cybersecurity event does not include unsuccessful attempts to acquire nonpublic information.

Third-Party Service Provider

A “Third-Party Service Provider” is defined as any non-Licensee that contracts with a Licensee to maintain, process, store or otherwise is permitted access to nonpublic information.

Important note: the Model Act’s third-party service provider provisions are similar to the requirements of the Gramm-Leach-Bliley safeguarding rules.[4]

Information Security Program Requirement

Implementation

The Model Law requires each Licensee (unless exempted) to develop, implement, and maintain a comprehensive written information security program—based on the Licensee’s own risk assessment—that expressly contains specific protections for nonpublic information and the Licensee’s information system(s). The information security plan should be commensurate with the size and complexity of the Licensee, the nature and scope of the Licensee’s activities (including its use of third-party service providers), and the sensitivity of nonpublic information used by the Licensee or in the Licensee’s possession, custody or control.

Risk Assessment and Management

A Licensee must: (i) designate an internal team or outside vendor to be responsible for the information security program; (ii) identify reasonably foreseeable internal and external threats to securing nonpublic information and the Licensee’s information system(s); (iii) assess the likelihood and potential damage of such threats; (iv) assess the sufficiency of the Licensee’s policies, procedures, information system(s), and other safeguards in place to manage such threats; and (v) implement information safeguards to manage identified threats, and conduct an annual assessment of the effectiveness of the safeguard’s key controls, systems, and procedures.

Based on its completed risk assessment, the Licensee must: (i) design an appropriate information security program based on the identified risks; (ii) determine specific security measures, as well as monitor emerging threats and vulnerabilities (iii) and provide personnel with up-to-date, ongoing cybersecurity awareness training regarding the identified risks.

Board Oversight

If applicable, the Licensee’s board of directors (or an appropriate committee) must: (i) require the Licensee’s executive management or its delegate(s) to develop, implement, and maintain the information security program; (ii) require the Licensee’s executive management or its delegate(s) to provide an annual written report addressing the overall status of and compliance with the information security program, and other material matters related to the information security program.

Third-Party Service Providers Oversight

A Licensee must exercise due diligence in selecting third-party service providers and must require all selected third-party service providers to implement appropriate safeguards and other measures to protect: (i) the Licensee’s information system(s); and (ii) any nonpublic information to which the third-party service provider has access.

Ongoing Responsibility to Monitor and Adjust

The Model Law requires all Licensees to monitor, evaluate, and adjust the information security program consistent with relevant changes in technology, the sensitivity of nonpublic information, internal and external threats, and changing business arrangements (e.g., mergers, acquisitions, alliances, outsourcing, or new information systems).

Incident Response Plan

Each Licensee must establish a written incident response plan as part of its information security program, which should be designed to promptly respond to and recover from a compromising cybersecurity event. The Model Law enumerates multiple factors that the incident response plan must address and include (e.g., specific processes, procedures and goals).

Annual Certification

Each insurer must submit an annual written statement to the chief insurance regulatory official of the insurer’s domiciliary state, which certifies that the insurer is in compliance with the information security program provisions found in the Model Law. To the extent an insurer identifies specific areas, systems, or process in its information security program that requires material improvement, updating, or redesign, the insurer must document such and the remedial efforts planned or in process to address the specifically identified areas, systems, or processes.

Important note: the annual certification requirement only applies to insurers.

Cybersecurity Event Investigation Requirement

Upon learning that a cybersecurity event has or may have occurred, the Licensee or designated outside vendor must promptly conduct an investigation to, at a minimum: (i) determine whether a cybersecurity event occurred; (ii) if so, the nature and scope of the event; (iii) identify the nonpublic information that may be involved; and (iv) execute reasonable measures to restore the security of the compromised information systems. This requirement also applies to cybersecurity events that have or may have occurred to the system maintained by a third-party service provider and the Licensee is responsible for confirming or otherwise documenting that the third-party service provider conducts a prompt investigation, as outlined above. Licensees must retain documents related to cybersecurity events for at least 5 years from the date of the incident.

Cybersecurity Event Notification Requirement

Each Licensee is required to provide notification to relevant state insurance regulators as promptly as possible but in no event later than 72 hours from the time the Licensee determines a cybersecurity event occurred. Specifically, a Licensee must notify and provide specific information (detailed in the Model Law) to its home state insurance regulator of the cybersecurity event if the home state has enacted the Model Law. In addition, a Licensee must notify state insurance regulators outside of the home state if the cybersecurity event involves the nonpublic information of 250 or more consumers residing in the other state and either (i) state or federal law requires the Licensee to provide notice to a governing or supervisory body; or (ii) the cybersecurity event has a reasonable likelihood of materially harming a consumer who resides in the other state or any material part of the Licensee’s normal operation. The above requirements and process also apply to a cybersecurity event that occurred in a system maintained by a third-party service provider.

If notification to a state insurance regulator is required, Licensees must also notify consumers only if the Licensee is required to do so pursuant to the data breach notification law (if any) of the Licensee’s home state.

Important note: the Model law does not expressly require Licensees to notify consumers of a cybersecurity event.

Exceptions

There are 3 exceptions expressly provided by the Model Law. First, a Licensee with fewer than 10 employees (including independent contractors) is expressly exempt from the information security program requirements. Even so, the Licensee may still be subject to the cybersecurity event investigation and notification requirements, as well as other obligations under the Model Act.

Second, a Licensee that has established and maintained an information security program pursuant to the Health Insurance Portability and Accountability Act (HIPPA) may simply certify its compliance with such to satisfy the requirements of the Model Law.

Third, an employee, agent, representative, or designee of a Licensee, who is also a licensee, is exempt from the information security program requirement to the extent the employee, agent, representative, or designee is covered by the Licensee’s information security program.

Effective Date

Assuming a state adopts the Model Law, each Licensee will have 1 year from the date the Model Law becomes effective to implement the information security program. If applicable, each Licensee will have 2 years from the date the Model Law becomes effective to implement the information security program requirements related to third-party service providers.

Conclusion and Key Takeaways

The Model Law is indicative of the growing global concern and effort to protect nonpublic information in possession of licensees. State legislators are under mounting pressure to work together and create uniform cybersecurity laws and standards. Needless to say, the next few years will likely present significant changes and challenges related to cybersecurity for those in the insurance industry. The following are some key takeaways from the Model Law:

  • The Model Law is generally more rigorous than most existing state cybersecurity laws, but may provide Licensees with more predictable requirements and standards.
  • Although the NAIC has provided this framework, each state legislature will decide whether to adopt the Model Law or a variation thereof. As such, Licensees need to actively monitor the laws of each state in which they are licensed to determine if those state laws are different from the Model Law.
  • Under the Model Law, Licensees are not required to provide notification of an unauthorized access to encrypted information, which is consistent with many current state data breach notification laws.
  • The Model Law includes a safe harbor provision for encrypted information so long as the encryption key was not acquired, which is also consistent with many current state cybersecurity laws.
  • For Licensees subject to the NYDFS cybersecurity regulations, states may require Licensees to demonstrate compliance with the NYDFS cybersecurity regulations. Although the drafters’ note states that it is the drafters’ intent for compliance with the NYDFS cybersecurity regulations to satisfy the obligations under the Model Law, there is no express language effectuating such in the text of the Model Law.
  • In the event state laws significantly vary from the Model Law, such variations could make compliance more challenging and costly for Licensees who conduct business in multiple states.
  • The Model Law allows each state legislature to determine penalties for noncompliance, which may differ between states.