We previously informed our readers about regulations being proposed by the Virginia Bureau of Insurance (BOI) pursuant to Virginia’s relatively new Insurance Data Security Act (IDSA). After considering comments received in response to the proposed regulations (Proposed Regs), the BOI has just proposed (and has asked the State Corporation Commission to enter an order adopting) revised regulations (Revised Regs). In its filing, the BOI has also provided responses to submitted comments, explaining the BOI’s rationale for making (or not making) certain changes to the Proposed Regs. The following is a summary of the most significant changes you will find in the Revised Regs:
- Elimination of Licensee Size Distinctions. The Revised Regs completely remove the “level one” and “level two” licensee definitions and distinctions made in the Proposed Regs. Those distinctions in the Proposed Regs pertained to the manner in which each category of licensee was required to assess risk and develop an information security program (InfoSec Program).
- Assessment. Rather than requiring larger licensees to conduct risk assessments consistent with National Institute of Standards and Technology (NIST) or similar standards, while requiring smaller licensees to be consistent with processes enumerated in the Proposed Regs (Assessment Processes), the Revised Regs simply require all licensees to conduct their periodic risk assessments consistent with the Assessment Processes – taking into account the licensee’s size and complexity. The Revised Regs also provide that conducting assessments in accordance with certain NIST or substantially similar standards will meet the periodic assessment requirements in the Revised Regs.
- InfoSec Program. Rather than requiring larger licensees to implement security measures consistent with NIST or similar standards, while requiring smaller licensees to implement appropriate measures as provided in the Proposed Regs (InfoSec Measures), the Revised Regs simply require all licensees to implement the InfoSec Measures as part of their respective InfoSec Programs and based on their respective risk assessments. The Revised Regs also provide that implementing security measures in accordance with certain NIST or substantially similar standards will meet the InfoSec Measures required in the Revised Regs. Remember, the IDSA provides additional InfoSec Program requirements that licensees must also address.
- Notice Supplementation Clarified. The Revised Regs clarify that a licensee must continue to update the commissioner after initial notification of a cybersecurity event until the licensee has provided “as much of” the information required by the IDSA as possible. The Proposed Regs required continued reporting until “all” of the required information was provided to the commissioner.
- Multifactor Authentication. The BOI indicated in its filing that it had changed the reference to multi-factor authentication (MFA) in InfoSec Measures to be clear that MFA is not automatically a required security measure when implementing effective controls for authorized access to nonpublic information. It appears from the BOI’s commentary in its filing that the BOI intended for the Revised Regs to state that a licensee must implement effective controls, “which may include” MFA for authorized access to nonpublic information; however, the Revised Regs do not, as of this writing, include that change. The author here will follow up with the BOI on this point.
- Elimination of BOI Right to Reverse Notification Decision. While the Revised Regs maintain the requirement that a licensee notify the commissioner (and provide an explanation) if the licensee does not intend to notify consumers based on a belief that the cybersecurity event does not have a reasonable likelihood of causing identity theft or fraud, the Revised Regs eliminate the prior provision that would allow the commissioner to overrule the licensee and require notification to consumers.
The Revised Regs will serve to address certain aspects of the IDSA; however, there is much more to compliance than what is contained in the Revised Regs. All Virginia licensees should become familiar with the IDSA, which became law last year, and should consult with their legal and security technology advisors to make sure they are taking proper steps to comply with the law and to protect their systems and information.