Proposed Regulations under Virginia’s Insurance Data Security Act

Sands Anderson PC

Sands Anderson PC

We recently provided an overview of Virginia’s new Insurance Data Security Act (the “Act”).  Now, as required under the Act, Virginia’s Bureau of Insurance has proposed regulations (the “Proposed Regs”) implementing the Act.  One of the primary effects of the Proposed Regs is to distinguish between smaller licensees and the rest of the pack for purposes of specifying requirements and timing around risk assessments and information security program security measures.  Under the Proposed Regs, licensees with more than 10 employees and authorized persons are referred to as “level one” licensees, and those 10 or fewer employees and authorized persons are referred to as “level two” licensees.

For risk assessments and implementation of security measures, the Proposed Regs point level one licensees to certain NIST publications and require that they consider cybersecurity risks in their enterprise risk management processes.  For level two licenses, rather than point to NIST publications, the Proposed Regs set out specific elements and safeguards that must be addressed in risk assessments and implementation of security measures.  Significantly, the Proposed Regs set different effective dates for compliance with these provisions for level one and level two licensees.  The effective date for level one licensees is set for one year from the effective date of the Proposed Regs, while the effective date for level two licensees is set for July 1, 2022.

The Proposed Regs also provide procedures for reporting cybersecurity events to the Bureau generally, as well as options for domestic insurance companies to report certain additional details on an annual basis for cybersecurity events that do not involve access to nonpublic information (those options do not apply to domestic producers, however).

Finally, the Proposed Regs establish a notification procedure that appears to be intended to give the Bureau an opportunity to review and overrule a licensee’s determination that notice to consumers is not required under the Act because there is no reasonable likelihood of identity theft or fraud.  After reviewing a licensee’s basis for any such determination, the Bureau may determine that the requisite likelihood of harm does exist, and then require the licensee to notify consumers in accordance with the notification procedures in the Act.

The deadline for submitting comments or requesting a hearing in connection with the Proposed Regs is October 26, 2020.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sands Anderson PC | Attorney Advertising

Written by:

Sands Anderson PC

Sands Anderson PC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.