Legislation affects breaches involving insureds' information

All insurers doing business in Virginia should be aware of a new law that went into effect on July 1, 2020. The Insurance Data Security Act (“Act”), imposes various monitoring, reporting and disclosure requirements relating to the personal information of insureds across the state.

Here is a look at the major points of the Act and the new requirements affecting insurers that do business with Virginians.

Protected information

The Act is designed to protect what it refers to as “nonpublic information.” This term includes any information that is not publicly available and either:

(1) relates to the business operations of an insurer such that unauthorized disclosure or access would cause an adverse impact,

(2) allows identification and correlation of a consumer’s name, number or other identifiers with that consumer’s social security number, driver’s license number, financial or credit card number, or

(3) pertains to health or mental care (including payment records). It does not include age, gender, or any information that is available in public records or required disclosures.

Information security program

Every insurer doing business in Virginia will be required to maintain a written information security program (ISP). While the scope of the ISP will necessarily depend on the size and complexity of the insurer, the nature of its activities, and the sensitivity of the information it maintains, each ISP must provide for the following at a minimum:

1. Protect the security and confidentiality of protected information;
2. Protect against threats or hazards to the security or tampering of protected information;
3. Protect against unauthorized access;
4. Establish a schedule for retention of protected information and its destruction;
5. Designate a person, affiliate or third-party vendor responsible for the ISP;
6. Mitigation of identified risks;
7. Establish authentication controls;
8. Restrict access in places where records are stored;
9. Protect against fire, water and other disasters as well as technological failures;
10. Secure disposal of protected information;
11. Keep up to date on the latest threats and vulnerabilities;
12. Cybersecurity awareness training for employees;
13. Reporting to the board of directors;
14. Regular monitoring, reevaluation and adjustment based on factors such as technological changes, emerging threats, and changes to the insurer’s business structure and arrangements;
15. A written incident response plan designed to respond to and recover from any unauthorized access or other cybersecurity event (see Va. Code § 38.2-623(G) for the required elements of the response plan).

Investigations

The Act’s scope is not limited to preventative measures. It imposes an investigation requirement concerning any event that results in unauthorized access, disruption, or misuse of the insurer’s information system or protected information. At a minimum, the investigation must determine whether such an event occurred, assess the nature and scope of the event, identify the compromised information, and oversee reasonable measures to restore system security.

Disclosure to commissioner and notice to consumers

If an insurer learns that information has been compromised, it is required to give notice to the Insurance Commissioner within three days if it is a Virginia corporation, or if 250 or more Virginia residents are affected by the event. The notice must include information such as timing, a description of how the information was compromised, recovery efforts, and law enforcement involvement. A full list of the disclosure requirements is at Va. Code § 38.2-525(B). The insurer must update and supplement the notice as information is learned throughout the investigation.

The insurer must also provide notice of any compromised information directly to consumers if the information is reasonably likely to be the subject of identity theft or fraud to those consumers. This notice must be provided “without unreasonable delay” after determining or receiving notice that information has been compromised.

The notice must (1) narrate the incident in general terms, (2) provide the type of protected information that was compromised, (3) describe what the insurer is doing to protect from future unauthorized access, (4) give a telephone number for the consumer to call for information and assistance, and (5) advise the consumer to review account statements and monitor credit reports. The insurer must mail the notice unless the cost of doing so exceeds $50,000 or over 100,000 consumers are affected, in which case electronic notice is acceptable.

Additionally, if notice is provided to more than 1,000 consumers, the insurer must provide a copy of the notice to national credit reporting agencies.

Use of third-party service providers

Many insurers will choose to outsource the creation and implementation of the ISP to a third-party vendor. Additional requirements were phased in on July 1 for insurers choosing this option. Insurers will be required to exercise “due diligence” in selecting the vendor, and the insurer retains the responsibility to oversee the vendor to ensure that it implements administrative, technical and physical measures to keep protected information secure.

Certification and record retention for Virginia-based insurers

On January 1, 2023, each insurer domiciled in Virginia will be required to certify its compliance with the Act to the insurance commissioner. All ISPs, investigation reports and related documents must be retained for five years.

Insurance commissioner oversight and confidentiality

The insurance commissioner has the power to examine and investigate the insurer to ensure compliance with the Act, and to take any action necessary to enforce its provisions.  Forthcoming rules and regulations will likely add further duties and requirements.

Similar to investigations involving insurance fraud, the information and documents uncovered by the insurance commissioner during an investigation into an insurer’s response to a compromise of protected information are protected from civil discovery and subpoenas. However, the commissioner may use such documents and information in the furtherance of any regulatory or legal action, and share and receive documents from regulatory and law-enforcement authorities.

Exceptions

The Act does not apply to:

1. Insurers already subject to and compliant with HIPAA or depository institution information security requirements; or
2. Independently licensed employees, agents, representatives, or designees of an insurer, if they are covered by the insurer’s ISP, investigation and notification obligations.

With cyberattacks, ransomware, and other nefarious technological threats menacing insurers and their customers, responsible cybersecurity practices are now not only good business sense; they’re the law.

Thomas Moran is a partner at Wright, Constable & Skeen and assists clients with diverse legal needs, including contractors, material suppliers, sureties, insurers, mortgage lenders and brokers. He can be reached at tmoran@wcslaw.com.

Related:

• A dozen steps: Insurance agency cybersecurity compliance
• Beazley: Ransomware incidents up 25% in Q1 2020 compared to Q4 2019
• Data privacy: Building compliant and adaptable systems