April 4, 2019

As discussed in a previous newsletter analyzing the current cybersecurity landscape, the National Association of Insurance Commissioners (NAIC) established its own standards, known as the NAIC Insurance Data Security Model Law. This model law, which establishes data security and data breach investigation and resolution standards across the insurance industry, closely follows the New York Department of Financial Services’ Cybersecurity Rule: both laws obligate insurance companies to maintain appropriate data security standards to protect their customer data, and they impose an onerous breach notification timeframe of 72 hours after a breach has been discovered.

At the time of our previous newsletter back in September, only one state, South Carolina, had adopted the NAIC law in its entirety. But recently, more states have shown movement towards enacting legislation that either follows the NAIC law closely or departs from it in a few relatively minor ways. Ohio and Michigan now join South Carolina as adopters of the NAIC law, and versions of it have been introduced in Connecticut, Mississippi, Nevada, Rhode Island and New Hampshire legislatures.

Ohio and Michigan’s versions of the law both differentiate from the NAIC model law in specific areas. Both Ohio and Michigan extended the breach notification deadline from 72 hours to 3 business days and 10 days, respectively. Legislators in both states also broadened exemptions to the law for small licensees. Under the NAIC law, licensees with 10 or fewer employees are exempt from its requirements, while Ohio’s law exempts those licensees with 20 or fewer employees, and Michigan’s exempts licensees with 25 or fewer employees.

Additionally, if a licensee can prove it has satisfied the new law’s requirements, Ohio’s law also provides a legal safe harbor for insurance licensees against lawsuits that allege insufficient cybersecurity measures on the part of the licensees caused a data breach. Ohio’s law also narrows the definition of a “cybersecurity event” by requiring that the event not only stem from unauthorized access or misuse of information but also have “a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee.”