The National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (MDL-668) was finalized in October 2017 and subsequently passed in South Carolina, Ohio, Michigan, and Mississippi. Moreover, the NAIC model borrowed heavily from the New York Department of Financial Services Cybersecurity Regulation (23 N.Y.C.R.R. Part 500). The NAIC’s 2017 passage of MDL-668 set the stage for several state legislatures to include it on their legislative calendars.
PIA National has spent much of the time since watching the progress of the model in state houses around the country. In May 2018, South Carolina passed its own version of the NAIC model, which was quickly signed into law by its governor, Henry McMaster. South Carolina was the first state to pass the NAIC model and the only one thus far to have passed it almost exactly as drafted at the NAIC. To read more about the South Carolina version, click here.
The NAIC model only matters insofar as it is adopted by states, so let’s examine how the states that have passed the model have done so thus far, today focusing on Ohio.
Ohio became the second state in the nation to adopt a version of the NAIC model law on December 19, 2018. Ohio’s law adds Sections 3965.01-11 to the Ohio Revised Code. Like the NAIC model and similar efforts in other states, the Ohio law applies to people/corporations required to be registered or licensed under Ohio insurance law, making the law applicable to insurance companies, agents, and brokers, among others. (Reinsurers and risk retention groups chartered and licensed in states other than Ohio are exempted from the law.) “Licensees” will have one year from the date of passage to comply with the new requirements, while third-party service providers will have two years.
Ohio requires its “licensees” to:
- Establish an information security program
- Develop a plan of risk assessment and management
- Establish oversight by a board of directors, which, along with other members of executive leadership, are essentially responsible for all program governance activities and compliance reporting
- Perform due diligence and monitoring of third-party service providers
- Provide notice and investigation of cybersecurity events
- Develop a formal incident response plan
- Provide annual certification to the Superintendent of Insurance
There are unique aspects of the Ohio law that differentiate it from the NAIC model, however. Many of these deviations from the NAIC model will effectively make the law clearer and less prescriptive for those implementing it.
- The Superintendent of Insurance is permitted to consider the nature, scale, and complexity of licensees in adopting regulations in furtherance of the law. This provision could potentially provide some flexibility to ensure independent agents are not saddled with onerous requirements.
- The law provides insurance agents and other licensees with a defense that they can use in a lawsuit that claims that they failed to implement reasonable information security controls, and that failure caused a data breach concerning nonpublic information. If a licensee meets the requirements of the law, it “shall be deemed to have implemented a cybersecurity program that reasonably conforms to an industry-recognized cybersecurity framework.” In other words, licensees that have met the requirements of the law can argue that meeting those requirements means the court must view them as having done everything the correct way in the context of a tort case. To get the benefit of this “safe harbor provision,” a licensee must be arguing in a case brought under Ohio law or in an Ohio court.
- For the cybersecurity event to trigger the notice to the Superintendent and otherwise qualify as an event for legal purposes, there must be a “reasonable likelihood” of material harm to a consumer or the licensee’s regular operations. Like the NAIC model, the Ohio law does not include a breach involving nonpublic information that was encrypted. These specifications attempt to weed out the reporting of events that are unlikely to harm consumers.
- The Superintendent must be notified of the event no more than “three business days” after a determination that a cybersecurity event has occurred. The NAIC model requires notice within 72 hours, so the Ohio law considers weekends in its timeline. While the NAIC model requires updates to the insurance commissioner for a wide range of reasons, the Ohio law requires that updates be provided to the Superintendent only for “material developments relating to the cybersecurity event.”
- Like the NAIC model, the Ohio law exempts licensees from complying with some of the law’s requirements under certain circumstances. However, Ohio also has other categories of exemption including licensees with 1) fewer than 20 employees, 2) gross annual revenue under $5 million, or 3) under $10 million in fiscal-year-end assets.
- All records regarding a cybersecurity event must be retained for five years under the Ohio law for inspection by the Superintendent upon request.
- The Ohio law has clearer confidentiality and privilege protection for information shared by licensees with regulators. “Documents, materials or other information” in the possession of the NAIC, a vendor, or a third-party service provider are privileged and confidential by law, are not public records, and shall not be released. They are not subject to subpoena, discovery, or admissibility as evidence in a private civil action.
carriers that already comply with the cybersecurity provisions of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) are exempt from
the Ohio law, if they submit a written certificate of compliance to the Ohio
Department of Insurance.