On December 12, 2018, the Ohio House passed Senate Bill 273 (the “Bill”) enacting Section 3965.01-11 to the Ohio Revised Code to “establish standards for data security and for the investigation of and notification to the Superintendent of Insurance of a cybersecurity event.”

The Bill is now on its way to the Governor’s Office for signature. SB273 codifies new obligations for insurance companies authorized to do business in the State of Ohio, including the requirement to:

  • Implement and maintain an information security program based on the results of a risk assessment in order to safeguard nonpublic business and personal information.
  • Develop a formal incident response plan to respond to a cybersecurity event as defined.
  • Certify compliance to the Superintendent of Insurance (the “Superintendent”) by submitting a written statement.
  • Investigate and asses the nature and scope of a cybersecurity event. This obligation extends to outside vendors or service providers acting on behalf of the insurance company.
  • Notify the Superintendent of a cybersecurity event, no later than 3 business days after the determination that the incident occurred, and certain residence, potential harm, and other requirements are met. There are additional notification requirements to affected consumers and the insurance authority of other states.

Further, the Bill makes an insurance company’s board of directors directly accountable for the oversight of the cybersecurity program and all its activities and results and the executive management solely responsible for all program governance activities and compliance reporting.

Safe Harbor

Similar to the recently enacted Data Protection Act (R.C. 1354), insurance companies deemed to have implemented a cybersecurity program that reasonably conforms to an industry-recognized cybersecurity framework are entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of Ohio or in an Ohio court and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information or restricted information.

Certain small insurers (fewer than 20 employees or $5 million in gross annual revenue) are excluded from the information security program requirements, and HIPAA-compliant insurers are deemed to be also compliant with the Bill’s obligations.

Powers of the Superintendent

Under SB273, the Superintendent has the power to examine and investigate any insurance company to determine whether it has been or is engaged in any conduct in violation of the cybersecurity requirements. It also gives the Superintendent the power to take any appropriate action to enforce the Bill’s provisions.

Confidentiality of Cybersecurity Documents

Certain documents are considered confidential, privileged, not a public record, prohibited from release, not subject to subpoena, and not subject to discovery or admissible in evidence in any private civil action under the Bill. Those confidential documents include an insurance company’s incident response plan, certification of compliance and affirmative defense, and information contained in the notice to the Superintendent. There are some exceptions allowing the Superintendent to disclose these documents in furtherance of any regulatory or legal action brought as a part of the Superintendent's duties.

Conclusion

The Bill is modeled after the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law. Once effective, Ohio would be the second state after South Carolina to adopt a version of the NAIC Model Law which resembles regulations passed by New York’s Department of Financial Services.Unless Congress preempts the states, it is likely that there is a rush by other states to enact similar laws in the next few years. Make sure that your company, including your board of directors, understands and is prepared to design and implement a strong cybersecurity program. Being prepared now would not only help you comply with Ohio law and be entitled to the safe harbor, but also be ahead of the game once other states enact similar legislation.