Delaware (July 31, 2019) and New Hampshire (August 2, 2019) have become the latest states to add to the insurance cybersecurity landscape by enacting information security laws. These laws come on the heels of Connecticut’s law enacted a few days earlier. Notably, while Connecticut followed the New York Department of Financial Services’ 2017 Cybersecurity Regulations model, Delaware and New Hampshire followed South Carolina, Ohio, Michigan, and Mississippi in adopting a version of the model law put forth in 2018 by the National Association of Insurance Commissioner (“NAIC”). Although the New York and NAIC frameworks are similar—both require written information security programs and impose a 72-hour breach notification deadline—the legislation as enacted by each state varies, resulting in a patchwork compliance framework for insurance companies that practice across multiple states.
The New Hampshire’s Insurance Data Security Law and Delaware’s Insurance Data Security Act apply to any individual or non-governmental entity that is required to be licensed, authorized, or registered pursuant to New Hampshire’s insurance laws (each a “Licensee”), and is intended to protect “nonpublic information,” defined, generally, as any information that can be used to identify a consumer, including health care information. Excluded from covered Licensees are those entities with fewer than 20 employees (New Hampshire) and 15 employees (Delaware), an increase from the 10 employee exception found in the NAIC model law.
Under both laws, a Licensee is required to have a written information security program in which administrative, technical, and physical safeguards are implemented based on the results of a risk assessment. A written incident response plan and a schedule for retention/process for destruction of nonpublic information must also be components of the information security program. Written certification to the respective state commissioner that the Licensee is in compliance with these requirements must be submitted annually (though, New Hampshire and Delaware have different submission deadlines). Compliance with such requirements are viewed in the context of the Licensee’s size and complexity, nature and scope of its activities, including its use of third-party service providers, and the sensitivity of the nonpublic information it possesses or uses. The commissioner is authorized to “examine and investigate” any Licensee and to take “action that is necessary or appropriate” if the commissioner “has reason to believe” a Licensee is in violation of the law. Notably, the New Hampshire law contains a safe harbor provision which deems compliant those Licensees who are in compliance with the NYDFS Cybersecurity Regulations.
Should a “cybersecurity event” occur—defined generally as unauthorized access to nonpublic information or the information system—both laws require notification to the commissioner within three business days (relaxed from NAIC’s rigid 72 hour deadline) from the determination that such an event has occurred. If the nonpublic information was encrypted or the impacted nonpublic information was not used or has been returned or destroyed, such circumstances do not rise to a “cybersecurity event”. In Delaware, under certain circumstances in which notice to the affected consumers is required, Delaware imposes a 60-day deadline and, further, requires the Licensee provide free credit monitoring services to the consumer for a period of one year. The medium by which consumers must be notified is also detailed in Delaware’s law.
The Delaware law’s compliance deadline is July 31, 2020, and the New Hampshire law’s compliance deadline is January 1, 2021. Both laws allow an additional year to ensure that third-party service providers are compliant.
These recent laws serve as yet another reminder that insurance licensees need to closely monitor the changing legal landscape and be ready to adapt their practices to ensure compliance.