New Hampshire recently passed its Insurance Data Security Law based on the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The law will go into effect January 1, 2020. New Hampshire is one of several states, including Alabama, Connecticut, Delaware, Michigan, Mississippi, Ohio, and South Carolina, that has passed an insurance data security law following NAIC’s model. These laws, along with the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), establish standards for insurance department licensees to develop risk-based information security programs and provide notification obligations in response to cybersecurity events. The New Hampshire law defines cybersecurity event as “an event resulting in unauthorized access to, disruption or misuse of, an information system or nonpublic information stored on such information system.” A cybersecurity event does “not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization.”
Below is a high-level overview of some of the most important aspects of New Hampshire’s new law (and which reflect requirements generally common to laws based on the NAIC model).
Information Security Program
New Hampshire’s Insurance Data Security Law requires a licensee to implement a risk-based written information security program by January 1, 2021. The program must be proportionate to the “size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee’s possession, custody, or control.” A licensee is required to design a program that includes appropriate security measures to address risks identified in the risk assessment, which may include encryption and multi-factor authentication.
Incident Response Plan
As part of the information security program, a licensee is required to establish an incident response plan to respond to and recover from cybersecurity events. New Hampshire’s law specifies that the plan must cover several areas such as the internal process for responding to events, roles and responsibilities of key decision-makers, procedures for external and internal communications and information sharing, and the evaluation and revision of the incident response plan following an event.
Responsibility of Board of Directors and Executive Management
Under the law, a licensee’s board of directors must require executive management to implement the written information security program. Executive management is obligated to annually report to the board of directors the status of the program, the licensee’s compliance with the law, and any other material matters related to the program. Executive management may delegate responsibilities, but they remain responsible for the development, implementation and maintenance of the program.
Certification and Record Keeping
A licensee is required to annually certify by March 1 to the commissioner of insurance that they are compliant with the data security law. Evidence of certification must be maintained for five (5) years. A licensee must adjust its information security program as changes occur in technology, the licensee’s nonpublic information, and threats to such information. If a licensee identifies any areas that require “material improvement, updating, or redesign,” it must document planned improvements to address such areas and make such documentation available for inspection by the commissioner.
Investigation and Notification of Cybersecurity Events
The law requires a licensee to investigate potential cybersecurity events. If the licensee determines that a cybersecurity event occurred, it must notify the commissioner within three (3) business days of the determination under certain conditions. Notification is required if (1) New Hampshire is the state of domicile or home state of the covered entity and there is a reasonable likelihood of the cybersecurity event harming a New Hampshire consumer or the normal operations of the licensee or (2) the licensee reasonably believes that at least two hundred fifty (250) New Hampshire consumers were affected and either (a) the licensee is required to notify a government body, self-regulatory agency, or any other supervisory body under any state or federal law or (b) there is a reasonable likelihood of materially harming a New Hampshire consumer or any material part of the normal operations of the licensee.
The notification must include as much information outlined in the data security law as possible, including the date of the cybersecurity event, a description of the event, how the event was discovered, whether a police report was filed, the types of information involved and a statement outlining the steps the licensee will take to investigate and notify affected consumers.
Third-Party Service Providers
A licensee has until January 1, 2022 to implement oversight of third-party service providers. A licensee must exercise due diligence in selecting third-party service providers and require the service providers to employ appropriate administrative, technical and physical measures. If a cybersecurity event occurs on the systems of a third-party service provider, the licensee either must investigate the event or confirm that the service provider has done so. To the extent that a third-party service provider is involved in a cybersecurity event, the notification to the commissioner must include the service provider’s role and responsibilities in the event. If a cybersecurity event occurs on the systems of a service provider, the licensee is still required to provide notice unless the third-party service provider is doing so.
Exceptions and Safe Harbors
The data security law contains several exceptions. For example, the law does not apply to licensees with fewer than twenty (20) employees. It also does not require employees, agents, representatives or designees of licensees who are also licensees to develop their own information security program to the extent that they are covered by the other licensee’s program. Notably, bank or credit union licensees that implement administrative, technical, and physical safeguards under the Gramm-Leach-Bliley Act (GLBA) and Fair and Accurate Credit Transaction Act of 2003 (FACTA) are exempt from establishing an information security program. Notification to affected consumers must be made pursuant to GLBA. The law also provides a safe harbor for licensees who are compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500).
Penalties
Any person who knowingly violates the New Hampshire Insurance Data Security law may be subject to suspension or revocation of license or an administrative fine not to exceed $2,500 per violation.
