Navigating the maze of state cybersecurity regulations
Review the keys to remaining in compliance with various cyber regulations when it comes to internal security protocol.
While cyberthreats continue to evolve and generate conversations, discussed less often is the fact that insurers are finding themselves more attractive targets for cybercriminals thanks to the troves of personal data they hold.
In October 2017, responding to these concerns, the National Association of Insurance Commissioners (NAIC) adopted the “Insurance Data Security Model Law,” also known as Model Law 668, which was based on New York’s first-of-its-kind cybersecurity regulation. New York’s regulation, enacted in March 2017, established minimum cybersecurity standards for insurance companies, banks and other financial services institutions.
The standards are intended to promote uniformity of data security and breach notification standards in the insurance industry. Although states were initially slow to adopt Model Law 668, the pace has accelerated in the past year. In 2021 alone, seven states have enacted a version of the model law, bringing the total number of states to 18, including Alabama, Connecticut, Delaware, Hawaii, Indiana, Iowa, Louisiana, Maine, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee, Virginia and Wisconsin.
Model Law 668 establishes requirements for data security, responses to breaches, and notification to policyholders. It covers “licensees,” meaning anyone required to be licensed, authorized or registered pursuant to the state’s insurance laws. Depending on state law, this could include not only insurers but also insurance agents, public adjusters and claims handlers. Licensees must develop a comprehensive written Information Security Program. Essentially, the licensee must have a plan in place to safeguard certain “nonpublic information” such as Social Security numbers, driver’s license numbers, account numbers and credit card information. Licensees must also develop a schedule for deleting nonpublic information when it is no longer needed.
The model law takes a balanced approach to cybersecurity based on the size and complexity of the licensee and the nature and scope of its operations. For example, the law carves out limited exceptions for licensees with fewer than 10 employees and licensees who comply with HIPAA’s rules regarding information security programs. Those exempt licensees, however, are still subject to Model Law 668’s requirements regarding investigation and notification of data breaches.
Making a plan
Similarly, licensees must have an “incident response plan” in the event of a breach. If the licensee learns of or suspects there has been a data breach, it must conduct a prompt investigation. The incident response plan must:
- Determine if a cybersecurity event has occurred.
- Assess the nature and scope of the event.
- Identify any nonpublic information that has been affected.
- Restore the security of the information systems compromised.
One of the first questions insurers and practitioners will ask is: “What are the penalties for non-compliance?” Model Law 668 provides little guidance. Although it includes a provision that explicitly declines to create any new private cause of action, it does not bar any action that otherwise exists under applicable state law. Model Law 668 itself includes few recommendations regarding penalties. Rather, it focuses on state regulatory authority and action in the event of a violation.
Despite the increasing pace of state adoption, most states have still not adopted Model Law 668. This lack of universal adoption risks disharmony in the insurance market, as insurers must comply with different cybersecurity regulations across state lines, a concern further compounded by the universal nature of cyberthreats. Even those states that have adopted Model Law 668 have done so inconsistently, creating a patchwork of different regulations.
For example, the deadline to report cybersecurity events to the commissioner varies from state to state. While the requirement is usually three business days in most states, it is 72 hours in South Carolina, five business days in Minnesota and 10 business days in Michigan.
In addition, there are discrepancies about which entities are exempt from the law’s various requirements. For example, Connecticut only exempts entities from its insurance data security laws if the entity has fewer than ten employees, including independent contractors. In contrast, Alabama exempts entities that either have fewer than 25 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets. Mississippi exempts entities that either have fewer than 50 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets.
Another variation is whether a state’s version establishes that the law is the “exclusive standard” applicable to licensees for data security, investigation and notification to the commissioner of a cybersecurity event. Most states, excluding Connecticut and South Carolina, have adopted an exclusive standard provision, while Model Law 668 does not provide for such a standard.
However, there is one area where there has been general consistency across adopting states: enforcement and penalties. No state has created a new private right of action. Rather, each has authorized state insurance commissioners to enforce the law under existing insurance law and engage in related rulemaking.
When the NAIC first adopted the law in 2017, the Department of the Treasury urged Congress to pass its own cybersecurity law if Model Law 668 was not uniformly adopted in the subsequent five years. It does not appear that benchmark will be met next year. This possibility has played a role in encouraging states to adopt Model Law 668. In fact, a draft of Hawaii’s law expressly stated that it was being adopted to promote state uniformity and forestall federal preemption.
It is possible Congress may revisit this issue and pass nationwide legislation applicable to insurers, which could preempt state laws. In 2018, the Financial Services Committee of the U.S. House of Representatives passed a bill called the Consumer Information Notification Requirement Act that would have created a hybrid regime under which federal financial authorities such as the Federal Reserve and Comptroller of the Currency would establish standards for preventing and notifying customers of data breaches. Although that bill did not become law, it is an issue that a new Congress in 2022 could add to the legislative calendar.
Whether Congress acts or not, and regardless of which states adopt Model Law 668, insurers that issue policies across state lines will need to take steps to ensure compliance with varying cyber regulations.
Greg Mann is a partner in the insurance coverage practice group at Rivkin Radler. He represents insurers in complex coverage litigation in state and federal courts and in arbitrations across the country.
Related: