On October 24, 2017, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law (Model Law).1 The Model Law builds on existing data privacy and consumer breach notification obligations by requiring insurance licensees to comply with detailed requirements regarding maintaining an information security program and responding to and giving notification of cybersecurity events.
The Model Law is similar in many respects to the cybersecurity regulation that was issued earlier this year by the New York State Department of Financial Services (NYDFS).2 However, the Model Law pertains solely to insurance licensees, and because it is only a model law, it will only apply to licensees in any given state if it is enacted into law by that state. Moreover, each state will have the freedom to modify the wording of the Model Law as it sees fit. This Legal Update (i) describes the relevant definitions and scope of the Model Law, (ii) explains the Model Law’s substantive requirements and (iii) highlights some takeaways for the insurance industry. For simplicity, this discussion assumes that a state will adopt the Model Law substantially as written.
Definitions and Scope
Licensee: The Model Law applies to any person operating under or required to operate under a license or registration issued pursuant to a state’s insurance laws. “Licensees” include not only insurance companies, but also other types of business entities and individual professionals who are licensed under a state’s insurance law (i.e., insurance agents and brokers). The Model Law expressly excludes from the definition of Licensee (i) purchasing groups or risk retention groups that are chartered and licensed in another state and (ii) insurers that are only assuming business in the state as reinsurers and are domiciled in another state.
Nonpublic Information: “Nonpublic Information” is defined as any information that is not otherwise publicly available and that is (i) business-related information, the unauthorized disclosure or use of which would cause a material adverse impact on the Licensee (e.g., trade secrets); (ii) information concerning an individual that could be combined with specified data elements to identify the individual (e.g., traditional personally-identifiable information); or (iii) derived from an individual or healthcare provider and related to certain healthcare information (except for age and gender). Like the NYDFS regulation, the Model Law broadly defines Nonpublic Information to include business-related information rather than just customer information.
Cybersecurity Event: A “Cybersecurity Event” is defined as any act resulting in unauthorized access to (or disruption or misuse of) electronically stored information. Notably, the Model Law sets limitations on what qualifies as a Cybersecurity Event that materially diverge from the NYDFS regulation. Specifically, the Model Law does not cover unsuccessful attempts to access Nonpublic Information3 and covers unauthorized acquisitions of encrypted Nonpublic Information only if the decoding key is also acquired. Many state data breach notification laws exclude unauthorized access to encrypted information from the notification requirements. The Model Law also excludes from the definition of Cybersecurity Event situations where the Licensee determines that the acquired Nonpublic Information was unused and has been returned or destroyed.
Third-Party Service Provider: A “ThirdParty Service Provider” (TSP) is defined as any person that is not a Licensee, but contracts with a Licensee to maintain, process, store (or otherwise has access to) Nonpublic Information. The NYDFS regulation contemplates that a person could be both a covered entity and a third-party service provider.
Tracking the NYDFS cybersecurity regulation, the Model Law requires every Licensee (unless exempted) to maintain a written cybersecurity policy and to implement a risk-based cybersecurity program. A Licensee must also satisfy specific requirements related to (i) maintaining an information security program, (ii) risk assessment and management, (iii) third party service providers, (iv) incident reporting, investigation and notification, (v) annual certification, (vi) exemptions (if eligible) and (vii) confidentiality.
Information Security Program and Board Oversight. The Model Law requires each Licensee to maintain an Information Security Program that is broadly designed to protect its Nonpublic Information. Additionally, the Licensee’s senior management must report to the Licensee’s board of directors at least annually on the overall status of the Information Security Program, including the results of risk assessments, strengths or weaknesses of its current risk management controls, the outcome of any testing, TSP arrangements and Cybersecurity Events. The required reporting must also detail any recommended changes to the Information Security Program.
Risk Assessment and Management. Like the NYDFS regulation, the Model Law requires regular risk assessments to test the adequacy of the Licensee’s Information Security Program (at least annually for key controls and systems). The Licensee must designate either an internal team or an outside vendor to identify reasonably foreseeable risks that could lead to unauthorized access to Nonpublic Information. The assessment must gauge the likelihood and potential damage of the threats, judge the adequacy of the Licensee’s safeguards and implement new controls when needed.
Informed by the risk assessment, a Licensee is expected to develop comprehensive written policies and procedures for cybersecurity. To the extent the Licensee determines it is appropriate, such policies and procedures must address:
• Access controls and identity management;
• Data governance and classification;
• Physical security and environmental controls;
• Encryption or similar protections;
• Application development or acquisition security;
• Change management;
• Effective controls to access Nonpublic Information (e.g., multi-factor authentication);
• Regular penetration testing and monitoring systems;
• Audit trails and transaction reconstruction;
• Business continuity and disaster recovery planning and resources;
• Secure disposal of Nonpublic Information in any format; and
• TSP management (including requiring TSPs to implement appropriate security measures).
The Model Law anticipates that a Licensee’s cybersecurity policies and procedures will evolve based on emerging threats or vulnerabilities. Accordingly, the Licensee is expected to provide recurring training to educate its personnel on their obligations to secure and protect Nonpublic Information.
Incident Reporting and Cybersecurity Event Notification. Every Licensee also is required to prepare a written incident response plan to enable it to promptly respond to and recover from a Cybersecurity Event. The Model Law specifically requires an incident response plan to address seven areas:
• Internal processes for responding to a Cybersecurity Event;
• Goals of the incident response plan;
• Clearly defined roles, responsibilities and levels of decision-making authority;
• External and internal communications plans and information sharing;
• Identification of requirements for the remediation of identified weaknesses;
• Documentation and reporting of Cybersecurity Events and related incident response activities; and
• Evaluation and revision as necessary of the incident response plan following a Cybersecurity Event.
The Model Law requires Licensees to investigate and provide notice of a Cybersecurity Event to the following state insurance regulatory officials within 72 hours of determining such an event has occurred. First, a Licensee must notify its home state regulator of any Cybersecurity Event if that state has adopted the Model Law. Secondly, a Licensee must notify the insurance regulatory officials of a state other than its home state if the Cybersecurity Event involves the information of 250 or more consumers residing in that state and either (i) federal or state law requires the Licensee to disclose the incident to a governmental body or (ii) the Cybersecurity Event has a reasonable likelihood of materially harming any consumer residing in the state or any material part of the normal operation of the Licensee.
To the extent that it is feasible, the Licensee must include the following information in its notice to the regulator:
• Date of the Cybersecurity Event;
• Description of how the information was breached, including the specific roles of TSPs (if any);
• How the Cybersecurity Event was discovered;
• Whether and how any breached information was recovered;
• Identity of the source of the Cybersecurity Event;
• Whether and when the Licensee filed a police report or notified any regulatory, government or law enforcement agencies;
• Description of the specific types of information acquired without authorization;
• Period during which the Information System was compromised by the Cybersecurity Event;
• Total number of consumers in the state affected;
• Results of any internal review identifying a lapse in either automated controls or internal procedures or confirming that all automated controls or internal procedures were followed;
• Description of efforts being undertaken to remediate the situation which permitted the Cybersecurity Event to occur;
• Name of a contact person who is both familiar with the Cybersecurity Event and has authorized to act for the Licensee.
This notice obligation does not replace any obligation the Licensee may have to provide consumers or state agencies with notice under a state’s data breach notification law.
Annual Certification. Each insurer is required to submit an annual certification to the insurance regulator of its state of domicile, affirming its compliance with the Information Security Program provisions of the Model Law. The certification must be submitted by February 15 for the preceding calendar year. The insurer is required to maintain the documentation evidencing its compliance for a period of five years, and that documentation must be available for inspection by the state. To the extent an insurer has identified areas that require improvement, updating or redesign, it must also document the remedial efforts that are underway or planned. In contrast to the NYDFS regulation, this annual certification requirement only applies to insurers and not to insurance producers.4
Exemptions. Employees and agents of a Licensee who are themselves Licensees are not required to develop their own Information Security Programs as long as they are covered by their organization’s program. However, they remain subject to the other requirements of the Model Law, namely, the cybersecurity event investigation and notification requirements.
A Licensee that has fewer than ten employees, including independent contractors, is exempt from the Information Security Program requirements of the Model Law. Further, a Licensee subject to the Health Insurance Portability and Accountability Act (HIPAA) may simply certify its compliance with HIPAA’s Information Security Program requirements in order to satisfy the Model Law’s Information Security Program requirements.
The Model Law’s exemptions are somewhat narrower than those provided under the NYDFS regulation in that the Model Law does not have a partial exemption for Licensees with less than $5 million in gross revenue in a state or less than $10 million in assets.
If a Licensee ceases to qualify for an exemption, it then has 180 days to comply with the Model Law.
According to a drafting note, the intent of the drafters of the Model Law was that a Licensee’s compliance with the NYDFS cybersecurity regulation would also satisfy a Licensee’s obligations under the Model Law. However, the text of the Model Law does not contain an express exemption for Licensees already subject to the NYDFS regulation, and it is unclear whether states will require additional documentation, or even a certification, to demonstrate that a Licensee is in compliance with the NYDFS cybersecurity regulation.
Confidentiality. The Model Law provides broad confidentiality protections for materials shared with a state’s insurance regulators. Any materials that a Licensee shares pursuant to the Model Law (or during the course of an investigation or examination) remain confidential. Specifically, documents in the possession of the state would not be subject to FOIA or open records requests, subpoenas or discovery demands and would not be admissible in evidence in a private action. Additionally, no waiver of any applicable privilege claim in the materials occurs as a result of disclosure to an insurance regulator under the Model Law.
As noted above, the Model Law represents a significant effort by the NAIC to protect Nonpublic Information in the hands of insurance Licensees. However, because the Model Law is only an NAIC model, the actual adopted versions of the law may vary from state to state. Therefore, Licensees need to carefully monitor when and how the Model Law is enacted into law in their states. Significant deviations among the states could make compliance more difficult. Also, while the Model Law generally follows the example of the NYDFS regulation, the text is more limited in scope and less prescriptive in its requirements, so non-New York-regulated insurance Licensees may need to tailor their compliance programs accordingly to fill the gaps.