Virginia has a new law, the Insurance Data Security Act (New Law), going into effect on July 1, 2020, which will expand the data security and incident notification requirements on insurers licensed in the Commonwealth. The New Law is similar to the National Association of Insurance Commissioners’ Insurance Data Security Model Law – with some important modifications. Below is a high-level overview of the New Law, along with a focus on certain specifics, to help you gain a better understanding of what will be required.
Information Security Program
The New Law will maintain the current requirement for implementing a comprehensive written information security program (InfoSec Program) with appropriate administrative, technical and physical (ATP) safeguards; however, it also calls out the following specific requirements that must be addressed:
- Risk assessment. The InfoSec Program must be based on licensee’s risk assessment;
- Data retention and destruction. The InfoSec Program must define and provide for periodic reevaluation of a data retention schedule and mechanisms for destruction of nonpublic information (defined in the next section, below);
- Responsibility designation. Licensees must designate an employee, affiliate or vendor to be responsible for the InfoSec Program;
- Systems access controls. Licensees must establish access controls on information systems;
- Physical access restrictions. Licensees must restrict access at physical locations that contain nonpublic information;
- Environmental hazard measures. Licensees must implement measures to protect against destruction, loss or damage of nonpublic information from environmental hazards (e.g., fire, water, other catastrophes, and technological failures);
- Secure disposal. Licensees must implement and maintain procedures for the secure disposal of nonpublic information;
- Stay informed. Licensees must stay informed of emerging threats and vulnerabilities;
- Security when sharing. Licensees must use reasonable security measures when sharing information (based on the type of sharing and type of information);
- Training. Licensees must provide personnel with cybersecurity awareness training;
- Board involvement. The board of directors (if there is one) must require the organization’s information executive management (or its delegates) to (i) develop, implement and maintain the InfoSec Program, and (ii) report to the board in writing concerning program status and licensee compliance with the New Law, and material matters related to the program (such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations – and management’s responses, and recommendations for changes in the InfoSec Program);
- Monitor and adjust. Licensees must monitor, evaluate, and adjust the InfoSec Program consistent with changes in technology, sensitivity of nonpublic information, internal and external threats to information, changing business arrangements (e.g., M&A, alliances, joint ventures, and outsourcing), and changes to information systems; and
- Incident Response Plan. Licensees must establish a written incident response plan that complies with requirements in the New Law.
Beginning on July 1, 2022, covered licensee’s will be required to (i) exercise due diligence in selecting third-party service providers (TPSPs), and (ii) require TPSPs to implement reasonable ATP measures to protect systems and information.
Beginning on January 1, 2023, insurers domiciled in Virginia will need to (i) begin annual compliance certifications to the Bureau of Insurance, (ii) document improvement areas and remediation efforts, and (iii) maintain compliance documentation for five years.
Cybersecurity Events Generally
Until July 1, 2020, insurers will continue to be governed by Virginia’s general data breach notification requirements; however, the New Law will put in place a new set of requirements for cyber security investigation and notification by insurers. It’s important to note that a “cybersecurity event” is broadly defined in the New Law to basically be an event that results in unauthorized access to, disruption of, or misuse of an information system or nonpublic information. It’s also important to note that “nonpublic information” is defined under the New Law generally as information that is (i) business information, the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact on the licensee, or (ii) identifiable consumer information in combination with pieces of certain sensitive information (e.g., social security number, financial account, biometric records, etc.), or (iii) consumer healthcare treatment, payment or condition information. These definitions become important when analyzing an organization’s obligations related to security incidents.
Cybersecurity Event Investigations
Significantly, the New Law requires a prompt investigation after learning that a cybersecurity event has or may have occurred. It also specifies minimum information that must be determined, if possible, and steps that must be taken by a licensee. The New Law also requires the same level of effort regarding any cybersecurity event occurring in a TPSP system. Finally, a licensee must retain for five years all records regarding the cybersecurity event (and make them available to the Insurance Commissioner upon request).
Notice to Commissioner
Notice to the Commissioner of an actual cybersecurity event will be required (i) in the case of domestic insurers and producers, if the cybersecurity event meets thresholds and other requirements prescribed by the State Corporation Commission, and (ii) in the case of licensees generally, if they reasonably believe the cybersecurity event involves nonpublic information of 250 or more consumers residing in Virginia, or if notice is required to any self-regulatory agency or government/supervisory body under federal law or the laws of another state. The New Law predictably outlines specific pieces of information that must be provide in the notice, such as how the incident happened, how the incident was discovered, what information was acquired, the period of compromise, and the number of consumers affected. Importantly, however, licensees will also have to either identify lapses in controls and procedures, or confirm that all controls and procedures were followed.
Notice to the Commissioner must be provided as promptly as possible but in no event later than three business days, and it must be provided in accordance with requirements prescribed by the Commission. Licensees will have an ongoing obligation to update the notice to the Commissioner. Based on the language noted above, we can expect to see cybersecurity thresholds and other requirements from the Commission pertaining to notification under the New Law.
The New Law also provides direction for handling cybersecurity events involving TPSPs, ceding insurers and independent insurance producers. Fortunately, the New Law will not prevent or abrogate agreements between licensees and other parties to fulfill the investigative or notification requirements under the New Law.
Notice to Consumers
Consumers must be notified of a cybersecurity event if (or if the licensee reasonably believes) the consumers’ nonpublic information was accessed and acquired by an unauthorized person, and the cybersecurity event has a reasonable likelihood of causing or has caused identity theft or other fraud to the consumers. Notice must be given without undue delay after a determination (or receiving notice) that a cybersecurity event has occurred. The New Law specifies the information that must be included in the notice (e.g., general description, types of information involved, actions being taken, etc.), and the methods that may be used for notification (postal, telephonic or electronic), including substitute notice. Information will have to be provided to the major credit reporting agencies when more than 1,000 consumers are notified. Where notice is required to the Commissioner (see above), a copy of the notice to consumers must also be provided to the Commissioner. As with most breach notification statutes, the New Law provides for a delay around law enforcement investigations. Finally, TPSPs can provide the notice to consumers where the incident occurs in their systems, but responsibility for notification ultimately rests with the licensee.
The New Law directs the Commissioner to adopt rules and regulations implementing the New Law. There’s more to come on that front.
There are three situations where licensees will be exempt or deemed in compliance with certain aspects of the New Law: (1) Licensees subject to HIPAA, that submit certain certifications, and that comply with the relevant provisions of HIPAA, will be considered compliant with the InfoSec Program, investigation and consumer notification requirements of the New Law; (2) A licensee who is also an employee, agent, representative or designee (the Agent Licensee) of another licensee (the Primary Licensee) is exempt from the InfoSec Program, investigation and notification requirements under the New Law to the extent the Agent Licensee is covered by the InfoSec Program, investigation and notification obligations of the Primary Licensee; and (3) Licensees affiliated with a depository institution that maintains an InfoSec Program in compliance with Interagency Guidelines under GLBA (the Guidelines) will be considered to meet the InfoSec Program requirements, provided the licensee produces, upon request, documentation satisfactory to independently validate the depository institution’s adoption of an InfoSec Program satisfying the Guidelines.
It’s also helpful to the note that the term “licensee” under the New Law does not include (i) a purchasing group or risk retention group chartered and licensed in a different state, or (ii) an assuming insurer that is domiciled in another state or jurisdiction.
The New Law provides for the confidential and privileged status of most information and materials provided to, or obtained by, the Commissioner as a part of certifications, notices, examinations and investigations, along with protections against subpoena and discovery in civil proceedings. However, the Commission is permitted to use the information and materials in furtherance of its regulatory or legal actions, and (with appropriate safeguards) to share the information and materials with certain third parties, such as consultants, other agencies and law enforcement.
Insurers and producers operating in Virginia need to review their current programs, policies and procedures to ensure they are ready to comply with the New Law. An important step in implementing the robust InfoSec Program requirements under the New Law is to conduct a risk assessment to help an organization identify and understand existing threats, risks and vulnerabilities. While the New Law will create more statutory and regulatory requirements, the good news is that compliance can also serve to improve an organization’s overall cybersecurity posture.
Sands Anderson’s Cybersecurity and Technology Team advises clients of all sizes concerning their data security obligations and risks, and we’re here to help with any questions or concerns you might have. Please reach out to any of our team members and we’ll be happy to help.