I had the pleasure of co-authoring this piece with prolific writer, attorney and sought-after public speaker Judy Selby. Quoted in publications such as the Wall Street Journal, Forbes and Fortune, Judy is one of the preeminent experts on cyber insurance. Through her consulting company, Judy provides strategic advice to companies and corporate boards concerning insurance, cyber risk mitigation and compliance.
In October 2017, the National Association of Insurance Commissioners (NAIC) adopted its Insurance Data Security Model Law (the NAIC Model) to establish standards for data security and the investigation and notification of certain cybersecurity-related events. This law followed the lead of the New York Department of Financial Services, which promulgated its own Cybersecurity Regulation geared towards insurance entities and other financial institutions that do business in New York in March of 2017.
On May 3, 2018, South Carolina became the first state to adopt its own cybersecurity statute almost exclusively derived from the NAIC Model — the South Carolina Insurance Data Security Act. Possibly analogous to when California’s initial enactment of a data breach notification law spurred other states to do the same, it’s only natural to question whether other states will soon emulate South Carolina’s adoption of the NAIC Model.
A CLOSER LOOK AT SOUTH CAROLINA’S NAIC MODEL INSPIRED LAW
Because South Carolina’s Insurance Data Security Act is virtually verbatim to the NAIC Model, a basic understanding of South Carolina’s law and the NAIC model is effectively one in the same.
South Carolina’s law applies to licensees, essentially defined as persons or entities licensed or required to be licensed to sell insurance. Excluded from this definition is a Risk Purchasing Group or Risk Retention Group chartered and licensed outside South Carolina, as well as an assumed insurer who resides in another state. The law imposes various obligations on Licensees to protect the security and confidentiality of nonpublic, personally identifiable information and the systems that store this information. Included in these obligations are specific requirements, a few of which mandate:
- A risk assessment that identifies and evaluates threats;
- A written information security program that contains administrative, technical and physical safeguards (based upon the aforementioned risk assessment);
- Oversight of third-party service provider(s); and
- A written incident response plan that promptly responds to and recovers from a cybersecurity event.
Inherent to the protection of consumer information is the investigation and notification of a “Cybersecurity Event”. The law defines this as “an event resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system.” It’s important to note that the law provides two very important carve-outs to what constitutes a cybersecurity event. The first is an encryption exception. If the licensee encrypts information later inappropriately acquired and the acquirer does not obtain the capability to decrypt such information, no cybersecurity event occurred. Additionally, a determination by the licensee that the information acquired was neither used nor released AND that the information acquired was returned or destroyed also means a cybersecurity event did not occur.
Licensees who do, in fact, suffer a cybersecurity event must notify affected consumers in accordance with the timeframe pronounced in the South Carolina breach notification statute. That is, notice to affected consumers must occur in “the most expedient time possible and without unreasonable delay.” South Carolina’s timeframe on when notice must occur represents one notable difference from the NAIC Model. A Licensee under the NAIC Model must provide notice to the appropriate insurance regulatory official (Commissioner) no later than 72 hours after the occurrence of a cybersecurity event. Should other states adopt the NAIC Model, the timeframe on when notice must occur will likely follow the state’s particular breach notification statute.
A SIGN OF FUTURE LEGISLATIVE ACTION BASED ON THE NAIC MODEL?
After South Carolina, it’s only a matter of time before other states follow suit. Rhode Island recently introduced legislation based on the NAIC Model, and both the Nevada and Vermont legislatures enacted provisions substantially similar to the Model Law for their respective financial services sectors.
In a larger context, lawyers for those affected by an insurance entity’s cyber event are likely to contend that the NAIC Model and similar laws constitute cybersecurity best practices for the insurance industry. This gives insurance entities and agents alike all the more reason to go ahead and comply with the NAIC Model right now.
The legal and regulatory pressure on insurance entities to implement demonstrably sound cybersecurity practices is not letting up. Consequently, even in the absence of current state mandates, today’s insurance entities should consider taking the following steps:
- Conduct an independent third-party cybersecurity risk assessment;
- Create and implement a comprehensive, written cybersecurity program;
- Institute a third-party service provider management program;
- Develop and practice a company-specific incident response plan; and
- Consider obtaining comprehensive insurance coverage for cyber-related exposures.
Have any questions? Do you own an insurance business and want to know more about compliance with the NAIC Model? Contact us today.