• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

New Hampshire Passes Insurance Data Security Law

August 23, 2019 By Dorian Simmons

New Hampshire recently passed its Insurance Data Security Law based on the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law.  The law will go into effect January 1, 2020.  New Hampshire is one of several states, including Alabama, Connecticut, Delaware, Michigan, Mississippi, Ohio, and South Carolina, that has passed an insurance data security law following NAIC’s model.  These laws, along with the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), establish standards for insurance department licensees to develop risk-based information security programs and provide notification obligations in response to cybersecurity events.  The New Hampshire law defines cybersecurity event as “an event resulting in unauthorized access to, disruption or misuse of, an information system or nonpublic information stored on such information system.”  A cybersecurity event does “not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization.”

Below is a high-level overview of some of the most important aspects of New Hampshire’s new law (and which reflect requirements generally common to laws based on the NAIC model).

Information Security Program

New Hampshire’s Insurance Data Security Law requires a licensee to implement a risk-based written information security program by January 1, 2021.  The program must be proportionate to the “size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee’s possession, custody, or control.”  A licensee is required to design a program that includes appropriate security measures to address risks identified in the risk assessment, which may include encryption and multi-factor authentication.

Incident Response Plan

As part of the information security program, a licensee is required to establish an incident response plan to respond to and recover from cybersecurity events.  New Hampshire’s law specifies that the plan must cover several areas such as the internal process for responding to events, roles and responsibilities of key decision-makers, procedures for external and internal communications and information sharing, and the evaluation and revision of the incident response plan following an event.

Responsibility of Board of Directors and Executive Management

Under the law, a licensee’s board of directors must require executive management to implement the written information security program.  Executive management is obligated to annually report to the board of directors the status of the program, the licensee’s compliance with the law, and any other material matters related to the program.  Executive management may delegate responsibilities, but they remain responsible for the development, implementation and maintenance of the program.

Certification and Record Keeping

A licensee is required to annually certify by March 1 to the commissioner of insurance that they are compliant with the data security law.  Evidence of certification must be maintained for five (5) years.  A licensee must adjust its information security program as changes occur in technology, the licensee’s nonpublic information, and threats to such information.  If a licensee identifies any areas that require “material improvement, updating, or redesign,” it must document planned improvements to address such areas and make such documentation available for inspection by the commissioner.

Investigation and Notification of Cybersecurity Events

The law requires a licensee to investigate potential cybersecurity events.  If the licensee determines that a cybersecurity event occurred, it must notify the commissioner within three (3) business days of the determination under certain conditions.  Notification is required if (1) New Hampshire is the state of domicile or home state of the covered entity and there is a reasonable likelihood of the cybersecurity event harming a New Hampshire consumer or the normal operations of the licensee or (2) the licensee reasonably believes that at least two hundred fifty (250) New Hampshire consumers were affected and either (a) the licensee is required to notify a government body, self-regulatory agency, or any other supervisory body under any state or federal law or (b) there is a reasonable likelihood of materially harming a New Hampshire consumer or any material part of the normal operations of the licensee.

The notification must include as much information outlined in the data security law as possible, including the date of the cybersecurity event, a description of the event, how the event was discovered, whether a police report was filed, the types of information involved and a statement outlining the steps the licensee will take to investigate and notify affected consumers.

Third-Party Service Providers

A licensee has until January 1, 2022 to implement oversight of third-party service providers.  A licensee must exercise due diligence in selecting third-party service providers and require the service providers to employ appropriate administrative, technical and physical measures.  If a cybersecurity event occurs on the systems of a third-party service provider, the licensee either must investigate the event or confirm that the service provider has done so.  To the extent that a third-party service provider is involved in a cybersecurity event, the notification to the commissioner must include the service provider’s role and responsibilities in the event.  If a cybersecurity event occurs on the systems of a service provider, the licensee is still required to provide notice unless the third-party service provider is doing so.

Exceptions and Safe Harbors

The data security law contains several exceptions.  For example, the law does not apply to licensees with fewer than twenty (20) employees.  It also does not require employees, agents, representatives or designees of licensees who are also licensees to develop their own information security program to the extent that they are covered by the other licensee’s program.  Notably, bank or credit union licensees that implement administrative, technical, and physical safeguards under the Gramm-Leach-Bliley Act (GLBA) and Fair and Accurate Credit Transaction Act of 2003 (FACTA) are exempt from establishing an information security program.  Notification to affected consumers must be made pursuant to GLBA.  The law also provides a safe harbor for licensees who are compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500).

Penalties

Any person who knowingly violates the New Hampshire Insurance Data Security law may be subject to suspension or revocation of license or an administrative fine not to exceed $2,500 per violation.

Filed Under: Cybersecurity, Data Breach, Data Protection, Data Security, Insurance Data Security, Legislation, Security Breach

About Dorian Simmons

Dorian Simmons is an associate in the Technology & Privacy Group. Dorian focuses his practice on technology transactions and data privacy issues. He assists clients with technology contracting and procurement, and privacy and data security-related matters.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
  • SolarWinds Hack: Unparalleled Supply Chain Attack Results in Potential Compromise of Private and Public Sector Organizations
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy