States Diverge in Following Either the NAIC or New York in Implementing Cybersecurity Regulations
States continue to implement insurance-specific cyber and data security regulations, drawing on either the National Association of Insurance Commissioners Insurance Data Security Model Law (“Model Law”) or the New York Department of Financial Services’ Cybersecurity Regulation (“NY Regulation 500”). Since July, Delaware and New Hampshire have joined the handful of states largely following the Model Law, while Connecticut based its regulation on NY Regulation 500. Alabama, Michigan, Mississippi, Ohio, and South Carolina have previously enacted regulations based on the Model Law.
NY Regulation 500 inspired the Model Law and share many similarities. Both require licensees to (i) develop a written cybersecurity program (ii) investigate and timely report data breaches (iii) conduct risk assessments, and (iv) annually certify compliance with security provisions to the state insurance commissioner. Subject to certain exceptions, any entity licensed to do business in a state where these laws have been enacted must comply with their provisions. Both regulations require licensees to exercise due diligence in the selection of third-party service providers and to ensure such third parties maintain reasonable safeguards.
These regulations strengthen generally-applicable state-by-state data breach notification laws by requiring licensees to notify the insurance commissioner of any cybersecurity event, and to notify affected consumers within a mandated timeframe. These insurance-specific regulations cover “nonpublic information,” which is defined more broadly than the “personally identifiable information” covered under general data breach notification laws. Nonpublic information includes not only personally identifiable information, but also certain business-related information and information about an individual’s health, finances, or other condition.
While the Model Law and NY Regulation 500 share common goals, the regulations have significant differences. The Model Law qualifies specific security requirements based on an “appropriateness” standard, which is not in NY Regulation 500. The Model Law also does not limit “nonpublic information” to electronic data whereas NY Regulation 500 does. Additionally, the Model Law, unlike NY Regulation 500, excludes risk purchasing groups and risk retention groups chartered and licensed in another state.
There is state-by-state difference in how these laws are enacted based on legislative preferences. Businesses with fewer than ten employees as well as independent contractors are exempt from the Model Law’s information security program requirements. Some states increase this exemption to up to twenty-five employees, some do not count independent contractors in this number, and some have an additional exemption based on revenue. The time to notice the insurance commissioner of a data breach also varies; the Model Law affords 72 hours whereas Connecticut, Ohio, and Delaware relax this timeframe to three business days while Michigan relaxes it to five.
We expect other states to soon enact similar regulations, and so every entity subject to state insurance department regulation should continue to monitor this changing legal landscape. These regulations are reactionary and provide minimum standards for safeguarding data in the face of ever-more sophisticated and devastating cyberattacks. Established insurance businesses and those startups wanting to work with insurers should incorporate the most stringent components of each applicable regulation into their in-house cybersecurity programs to ensure universal compliance and to keep pace with industry standards.