Highlights of the Insurance Data Security Model Law

A draft of the Insurance Data Security Model Law was released by the Cybersecurity (EX) Task Force in March. Insurers and others have been commenting on the release through written letters and during a meeting with the task force in May.

But how is a breach defined? Who are insurance licensees? What needs to be in a licensee’s information security program?

Below, we outline highlights of some of the answers contained in a few sections of the draft, which includes 20 separate sections in all.

Section 3, Definitions

• Breach of data security means the unauthorized acquisition of personal information but does not include the unauthorized acquisition of personal information that is encrypted, redacted, or made unreadable or unusable by some other means. (Section 3, Subsection A)
• Licensee means all licensed insurers, producers and other persons licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered under the state’s insurance law. (Section 3, Subsection F)
• Other defined terms include consumer, encrypted, personal information, substantial harm or inconvenience (as the breach of data causing such harm requires notice to the insurance commissioner and others), information security program, and third-party service provider (for whom oversight activities are detailed as part of the information security program).

Section 4, Information Security Program

• Put it in writing. The model law directs each licensee to “develop, implement and maintain a comprehensive written information security program. (Section 4, Subsection A)
• What to include.The written security program should contain “administrative, technical and physical safeguards for the protection of personal information.” (Section 4, Subsection A)
• Tailoring permitted. The scale and scope of the program is to be “appropriate to” the following: the size and complexity of the licensee; the nature and scope of the licensee’s activities; the sensitivity of the consumer information. (Section 4, Subsection C)
• Use the NIST Framework for risk management. While insurer and producer information security programs will differ based on the sensitivity of the information they have and the complexity of their activities, the draft sets the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST) as the guide for adopting security measures in many areas: the placement of access controls, restriction of physical access to locations that house personal information, encryption policies, attack testing and monitoring activities, among other items. (Section 4, Subsection E)
• Use an ISAO, an Information Sharing and Analysis Organization, to stay current on threats and to share information. (Section 4, Subsection E)
• Oversee third-party service providers and require such providers to safeguard personal information, notify the licensee of any breach within three days of discovery, indemnify licensees for resulting losses and allow for cybersecurity audits. These requirements are to be agreed to “by contract,” and third parties must also “represent and warrant” compliance with these requirements. (Section 4, Subsection E)
• Get information security on the boardroom agenda. See related discussion, “Cyber in Focus: What Insurer Boards Need to Do,” below. (Section 4, Subsection F)

Section 7, Breach Notification

• Speedy notice required.Notification of law enforcement, the insurance commissioner, consumer reporting agencies and consumers is prescribed to take place “without unreasonable delay” in the event that the licensee discovers a data breach that is “reasonably likely to cause substantial harm or inconvenience to the consumers” (defined in Section 3).
• Notice to the insurance commissioner must take place within five calendar days, and to consumers within 60 days. (Section 7, Subsections A, B and D)

Section 8, Consumer Protections

• ID theft protection prescribed.At a minimum, licensees are to pay for at least 12 months of identity theft protection for consumers following a breach, with the appropriate level of further measures to be prescribed by the commissioner.

Section 15, Individual Remedies

• See you in court.Licensees that don’t comply with provisions of the act may face legal action.
• Two-year limitation.Individuals whose rights have been violated can sue “for appropriate equitable relief,” but the action must be brought within two years of discovery of the alleged violation.

Cyber in Focus: What Insurer Boards Need to Do

Members of the boards of directors of insurance companies licensed in the U.S. may already have cybersecurity activities on their agendas. Those that don’t may need to catch up soon, if the Insurance Data Security Model Law gets passed in their state.

The model law draft exposed to the public for comment in March 2016 directs insurers to address cybersecurity risks in their enterprise risk management processes. More directly, in Section 4F (Information Security Program/Oversight by Board of Directors), the law outlines these board responsibilities—to be carried out by the board or an appropriate committee of the board:

• Approve the insurer’s written information security program.
• Oversee the development, implementation and maintenance of the insurer’s information security program, including assigning specific responsibility for its implementation and reviewing reports from management.

The reports from management, which the board is to review annually at least, provide information about:

• The overall status of the information security program and the insurer’s compliance with the act.
• Material matters related to the insurer’s program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security breaches or violations and management’s responses, and recommendations for changes in the information security program.