On August 2, 2019, New Hampshire Governor Chris Sununu signed into law SB 194 (the “Bill”), which requires insurers licensed in the state (“licensees”) to put in place data security programs and report cybersecurity events. Although the Bill takes effect January 1, 2020, licensees have one year from the effective date to implement relevant cybersecurity requirements and two years from the effective date to ensure that their third-party vendors also implement appropriate safeguards to protect and secure the information systems and nonpublic information accessible to, or held by, the third-party service providers.
Key provisions of the Bill include:
- Information Security Program. The Bill requires licensees to develop, implement and maintain, based on risk assessments, information security programs that contain administrative, technical and physical safeguards for the protection of nonpublic information and the licensee’s information system. The information security program must “mitigate . . . identified risks” and, among other enumerated requirements, be designed to “define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.”
Nonpublic information is defined as information that is not publicly available information and is “any information concerning a consumer[,] which . . . can be used to identify such consumer, in combination with” Social Security number, driver’s license or non-driver identification card number, financial account or credit or debit card number, a security or access code or password that would permit access to a financial account, or biometric information. The term also includes certain healthcare information that can be used to identify a particular consumer.
- Incident Response Plan. As part of the information security program, licensees also must establish a written incident response plan aimed at promptly responding to and recovering from cybersecurity events that compromise the confidentiality, integrity or availability of nonpublic information it possesses, the licensee’s information systems or the continuing functionality of any aspect of the licensee’s business or operations.
- Recordkeeping. Licensees must maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event. In addition, each insurer domiciled in the state must submit an annual written statement by March 1 that certifies that the insurer is in compliance with the requirements set forth. These certifications, including supporting records, schedules and data, must be kept for a period of five years.
The state insurance commissioner may take “necessary or appropriate” action to enforce the new law. Violations of the provisions may result in the suspension or revocation of a licensee’s certificate of authority or license, or an administrative fine of up to $2,500 per violation.