There appears to be no stopping the continued breathtaking pace of cyberattacks as we head into 2018. In 2017, the Equifax data breach exposed the nonpublic information of over 140 million consumers; there were allegations that Uber hired hackers to conceal a data breach involving over 57 million rider accounts; and Yahoo confirmed that its 2016 data breach did, in fact, involve over 1 billion email accounts. Amazingly, these events have not prompted a significant push from Congress for national data security standards. However, following New York’s lead, state legislators and regulators (including those in Maryland) now appear ready to take up the mantle with the Insurance Data Security Model Law (“Model Law”) recently adopted by the National Association of Insurance Commissioners (“NAIC”). NAIC adopted the Model Law in October 2017 to establish standards for data security and investigation for the insurers or “licensees” its members regulate, but the Model Law may have broader implications for many other businesses as well.
There have been reports that both the House Financial Services Committee and Senate Commerce Committee are finally considering the issue of data security standards given recent events, but, given the trend of cyberattacks in recent years, the New York State Department of Financial Services (“DFS”) (which has regulatory jurisdiction over banks, insurance companies, and other financial services institutions in New York), was not content to wait and enacted 23 NYCRR Part 500 on March 1, 2017. New York’s cybersecurity regulation was the first in the nation to mandate protection by banks, insurers and other financial institutions within DFS’ regulatory jurisdiction of their customer information from cyberattacks and has become the “gold standard” for the nation’s financial services industry.
Not surprisingly, NAIC looked to New York’s cybersecurity regulation as a guiding star for its own efforts to draft the comprehensive data security standards for insurers provided in the Model Law. NAIC’s initial drafts of the Model Law contained some important distinctions (such as the need to provide an annual report summarizing the covered entities’ risk assessments rather than an annual certification or the need to provide notice of cybersecurity events to not just the insurance commissioner but also independent producers), but a drafter’s note in the most recent Version 6 of the Model Law provides that compliance with New York’s cybersecurity regulations also constitutes compliance with the Model Law.
As with New York’s cybersecurity regulations, NAIC’s Model Law requires, among other things, the following:
Creation of a comprehensive Information Security Program based on a risk assessment that identifies risks to the business, including its use of Third-Party Service Providers, and determination of which security measures are appropriate to implement;
Designation of an individual to oversee the Information Security Program;
Oversight by the Board of Directors;
Oversight of Third-Party Service Provider agreements;
Establishment of an incident response plan;
Investigation and notification of Cybersecurity Events within 72 hours from a determination that a reportable Cybersecurity Event has occurred; and
Providing an annual certification of compliance to the Insurance Commissioner by February 15 of each year.
In accord with New York’s cybersecurity regulation, the Model Law includes exemptions from compliance for licensees with fewer than 10 employees or for employees or agents of licensees that are otherwise protected by the information security program of the licensee. However, the Model Law includes far fewer exemptions than found under New York’s cybersecurity regulation and is noticeably missing the particular exemptions New York has provided for covered entities with less than $5,000,000 in gross annual revenue in each of the last three fiscal years or less than $10,000,000 in year-end total assets.
NAIC’s move towards conformity with New York’s cybersecurity regulations has pleased some commentators hoping to establish a single data security standard for insurers, but Version 6 still does not include the “exclusive standards for data security applicable to licensees in the state” language that some were advocating for NAIC to include. Many of these commentators express concern about a “patchwork” regulatory environment and highlight that company wide data security programs generally do not vary from state to state because the security risks do not vary from state to state. NAIC has clearly taken efforts to address those concerns, but, to the extent the Model Law incorporates the varying breach notification laws of the adopting states, complete uniformity was likely always an elusive goal.
Following NAIC’s adoption of the Model Law, insurance commissioners from each state are expected to work with state legislators for broader adoption. NAIC pointed out in its recent Fall National Meeting that the Treasury Department’s October 2017 report on the asset management and insurance industries includes a recommendation that Congress enact a national insurance cybersecurity law if states fail to enact uniform cybersecurity laws within five years. Thus, it is anticipated that the Model Law will soon be introduced for enactment around the nation. The individual political environments of each state is beyond the scope of this article but it would not be unreasonable to bet that most states will choose enactment over being subjected to a superseding federal law. Hence, the Model Law is something that businesses should be paying attention to now.
Unlike New York’s cybersecurity regulations, which apply to not only insurers but also a wider array of financial service institutions, the enacted Model Law will likely only apply to insurance licensees, but there are still broader implications for other businesses. The law applied by courts for lawsuits brought by individuals impacted by data breaches is evolving but it is possible that many courts may begin to look to the data security standards of the Model Law as the “standard of care” for all businesses. Moreover, insurers lacking sufficient actuarial data to properly assess their exposure from new cybersecurity policies will likely start using things like adherence to data security standards, such as those in the Model Law, as a measuring stick for underwriting. That may force many businesses to conform to those standards to obtain coverage or to avoid costly premiums.
Finally, state legislators may find it impractical to have breach notification laws that generally apply to all businesses alongside data security standards that only apply to insurance licensees and may enlarge the scope of the Model Law to cover more businesses or may incorporate the data security standards of the Model Law into the breach notification laws. Section 14-3503(a) of the Maryland Personal Information Protection Act (Maryland’s breach notification statute) already requires Maryland businesses to “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations.” The consideration of NAIC’s Model Law will provide Maryland legislators with a perfect opportunity to more precisely describe those “reasonable security procedures and practices” as NAIC has done the work for them.
That being so, it behooves all businesses, including those in Maryland, to become familiar with the requirements of the Model Law now so that an objective assessment of the impact can be determined and the costs and administrative burdens of any future compliance can be smoothly rolled into existing budgets.