Delaware and New Hampshire Join Growing List of States With New Insurance Data Security Laws

Ballard Spahr LLP
Contact

Ballard Spahr LLP

Delaware (July 31, 2019) and New Hampshire (August 2, 2019) have become the latest states to add to the insurance cybersecurity landscape by enacting information security laws.  These laws come on the heels of Connecticut’s law enacted a few days earlier.  Notably, while Connecticut followed the New York Department of Financial Services’ 2017 Cybersecurity Regulations model, Delaware and New Hampshire followed South Carolina, Ohio, Michigan, and Mississippi in adopting a version of the model law put forth in 2018 by the National Association of Insurance Commissioner (“NAIC”).  Although the New York and NAIC frameworks are similar—both require written information security programs and impose a 72-hour breach notification deadline—the legislation as enacted by each state varies, resulting in a patchwork compliance framework for insurance companies that practice across multiple states.

The New Hampshire’s Insurance Data Security Law and Delaware’s Insurance Data Security Act apply to any individual or non-governmental entity that is required to be licensed, authorized, or registered pursuant to New Hampshire’s insurance laws (each a “Licensee”), and is intended to protect “nonpublic information,” defined, generally, as any information that can be used to identify a consumer, including health care information.  Excluded from covered Licensees are those entities with fewer than 20 employees (New Hampshire) and 15 employees (Delaware), an increase from the 10 employee exception found in the NAIC model law.

Under both laws, a Licensee is required to have a written information security program in which administrative, technical, and physical safeguards are implemented based on the results of a risk assessment.  A written incident response plan and a schedule for retention/process for destruction of nonpublic information must also be components of the information security program.  Written certification to the respective state commissioner that the Licensee is in compliance with these requirements must be submitted annually (though, New Hampshire and Delaware have different submission deadlines).  Compliance with such requirements are viewed in the context of the Licensee’s size and complexity, nature and scope of its activities, including its use of third-party service providers, and the sensitivity of the nonpublic information it possesses or uses.  The commissioner is authorized to “examine and investigate” any Licensee and to take “action that is necessary or appropriate” if the commissioner “has reason to believe” a Licensee is in violation of the law.  Notably, the New Hampshire law contains a safe harbor provision which deems compliant those Licensees who are in compliance with the NYDFS Cybersecurity Regulations.

Should a “cybersecurity event” occur—defined generally as unauthorized access to nonpublic information or the information system—both laws require notification to the commissioner within three business days (relaxed from NAIC’s rigid 72 hour deadline) from the determination that such an event has occurred.  If the nonpublic information was encrypted or the impacted nonpublic information was not used or has been returned or destroyed, such circumstances do not rise to a “cybersecurity event”.  In Delaware, under certain circumstances in which notice to the affected consumers is required, Delaware imposes a 60-day deadline and, further, requires the Licensee provide free credit monitoring services to the consumer for a period of one year.  The medium by which consumers must be notified is also detailed in Delaware’s law.

The Delaware law’s compliance deadline is July 31, 2020, and the New Hampshire law’s compliance deadline is January 1, 2021.  Both laws allow an additional year to ensure that third-party service providers are compliant.  

These recent laws serve as yet another reminder that insurance licensees need to closely monitor the changing legal landscape and be ready to adapt their practices to ensure compliance.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.