While the United States may not have data protections in place that are as extensive as those seen the European Union’s adoption of GDPR, there is still a comprehensive framework of state and federal regulations in place to protect personal information. Many industries are building on the foundation set by state and federal guidelines by creating industry-specific cyber standards. For example, various organizations in the insurance industry are taking steps to ensure their members have guidance on cyber security.
- The Insurance Industry’s Data Protection Standards
The National Association of Insurance Commissioners (“NAIC”), an organization that coordinates the efforts of state insurance regulators, provides one of the best examples of an industry taking steps on its own to regulate cyber security for the insurance industry. Early NAIC cyber security initiatives included creating Principles for Effective Cybersecurity Insurance Regulatory Guidance to “help state insurance departments identify uniform standards, promote accountability and provide access to essential information.” The NAIC’s initiatives are based on the realization that the insurance industry faces its own unique issues in protected sensitive data. In short, the NAIC’s initiatives provide one of the best examples of an industry taking steps to regulate itself rather than wait for state or federal regulations to plug the gaps.
- The Data Protections Found In The NAIC’s “Model Law.”
The NAIC furthered its track record on cyber security measures when it adopted the Insurance Data Security Model Law (“Model Law”) in October 2017 to encourage members of the insurance industry to adopt cyber security programs that would protect consumers’ personal information, create standards that would limit damage caused by a breach and create a protocols to investigate incidents and notify the state insurance commissioner. Specifically, the the Model Law is intended “to establish standards for data security and standards for the investigation of and notification to the Commission of a Cybersecurity Event” that involves an entity regulated under the insurance laws of a given state. (A copy of the Model Law can be found here.)
Insurance entities that operate in a state that has adopted a version of the Model Law may be subject to new regulations spanning the time prior to a cyber incident to points after an incident. First, under the Model Law, an insurance entity may be required to create an “Information Security Program” and “Incident Response Plan” prior to an incident. The Model Law would also govern the insurance entities’ response to a cyber incident by creating guidelines to investigate and provide notification after an incident. The Model Law is currently being considered in a number of states (Connecticut, Mississippi, Nevada, Rhode Island and New Hampshire) and has been adopted in some form in Michigan and South Carolina.
- Ohio’s Adoption Of The “Model Law”
Ohio is one of the first states to adopt a version of the NAIC’s Model Law through Senate Bill 273. On December 19, 2018, John Kasich, Ohio’s governor, signed Bill 273 into law which requires entities subject to Ohio’s insurance laws to take certain steps to protect private information. While the Ohio legislature adopted a large portion of the Model Law, Senate Bill 273 had some notable changes that include:
- Affirmative Defense: Senate Bill 273 provides insurance entities that are in compliance with the statute with an affirmative defense to liability if they are sued for a cyber security incident;
- Other Considerations: The Ohio Department of Insurance can consider other factors related to a breach including the type of business and size of the insurance entity; and
- Easy Compliance: A streamlined process allows the insurance entity to file documents to comply with the provisions of this law with other corporate documents filed with the State of Ohio.
Ohio’s law is more than an abstract cyber security guideline. Rather, deadlines include all insurance entities must conduct a risk assessment to address the nature and likelihood of any internal threat to private information and implement a security program resulting from the risk assessment by March 19, 2020. Therefore, Ohio’s insurance entities have work to do over the next year.
- Industry Standards Provide Guidance
While many data collectors struggle to comply with various state and federal privacy laws, industry standards provide a uniform set of regulations. Further, industry standards that are crafted by members of the industry provide guidance on the issues facing that particular industry. And, while there is an argument that more regulations may become burdensome, regulations such as Ohio’s Bill 273 are helpful to the extent they protect sensitive data, provide guidance to data collectors and may limit liability when there is a cyber security incident.