On August 2, 2019, New Hampshire Governor Chris Sununu signed into law SB 194 (the “Bill”), which requires insurers licensed in the state (“licensees”) to put in place data security programs and report cybersecurity events. Although the Bill takes effect January 1, 2020, licensees have one year from the effective date to implement relevant cybersecurity requirements and two years from the effective date to ensure that their third-party vendors also implement appropriate safeguards to protect and secure the information systems and nonpublic information accessible to, or held by, the third-party service providers.

Key provisions of the Bill include:

  • Information Security Program. The Bill requires licensees to develop, implement and maintain, based on risk assessments, information security programs that contain administrative, technical and physical safeguards for the protection of nonpublic information and the licensee’s information system. The information security program must “mitigate . . . identified risks” and, among other enumerated requirements, be designed to “define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.”

Nonpublic information is defined as information that is not publicly available information and is “any information concerning a consumer[,] which . . . can be used to identify such consumer, in combination with” Social Security number, driver’s license or non-driver identification card number, financial account or credit or debit card number, a security or access code or password that would permit access to a financial account, or biometric information. The term also includes certain healthcare information that can be used to identify a particular consumer.

  • Incident Response Plan. As part of the information security program, licensees also must establish a written incident response plan aimed at promptly responding to and recovering from cybersecurity events that compromise the confidentiality, integrity or availability of nonpublic information it possesses, the licensee’s information systems or the continuing functionality of any aspect of the licensee’s business or operations.
  • Breach Notification. Licensees also must notify the state insurance commissioner of a cybersecurity event within three business days of a determination that a cybersecurity event has occurred when the licensee is domiciled in New Hampshire or if the cybersecurity event is reasonably believed to have affected at least 250 New Hampshire residents, among other criteria. The notification must provide certain content, including: (1) the date of the cybersecurity event; (2) a description of how the information was compromised and how the breach was discovered; (3) a description of the specific types of information compromised; (4) the approximate number of affected New Hampshire residents; (5) a copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the breach; (6) the name of a contact person; and (7) a copy of the notice sent to consumers. The Bill requires licensees to notify consumers pursuant to certain provisions of New Hampshire’s breach notification law.
  • Recordkeeping. Licensees must maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event. In addition, each insurer domiciled in the state must submit an annual written statement by March 1 that certifies that the insurer is in compliance with the requirements set forth. These certifications, including supporting records, schedules and data, must be kept for a period of five years.

The state insurance commissioner may take “necessary or appropriate” action to enforce the new law. Violations of the provisions may result in the suspension or revocation of a licensee’s certificate of authority or license, or an administrative fine of up to $2,500 per violation.