insurance – InfoHive – Data Security

3 State Variations in the Model Insurance Data Security Legislation

North Carolina: the 1st State to pass the model legislation imposed the 72-hour notice requirement in the model.

Michigan: opted for a 10 day notice requirement

Ohio: allows licensees that have certain cybersecurity programs to use an affirmative defense against tort claims

Bloomberg | States Imposing New Cybersecurity Requirements on Insurers

Lege TREND. Refresher Insurance Data Security Bills.

SB273 (OH |2018) does the following:

Adopts the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law
OH becomes the 2nd state after South Caroline to adopt the model law
Requires licesees develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to protect nonpublic information and the licensee’s information system within 1 year of the effective date of the Act;
Perform…

2nd State Adopts Model Insurance Data Security law

1st state to adopt model insurance data security law: South Carolina

2nd state: Ohio legislation with 8 modifications SB 273 (OH | 2018)

The model law: NAIC

National Law Review | Ohio Moves on Insurance Cybersecurity

Texas State Agency. 2nd Largest Health Care Data Breach in US for 2018. What you need to know:

What agency is involved? Employee Retirement System of Texas

What was the data breach? Personal health information data for other individuals was accessible when a person was logged into the agency portal

When did ERS receive notification? August 17 2018

How many people were impacted? nearly 1.25 million individuals

When did ERS report the incident? reported to the U.S. Department of Health and Human Services as a “unauthorized access/disclosure” health data breach on October 15th

Gov…

5 Points. Apple Desired Information Privacy Law.

tech companies should de-identify customer data or not collect customer data
comprehensive federal law is necessary
- why? tech companies that collect a lot of data are basically spies
people should have a right in their data, and a right to have that data minimized
consumers must be told what data is being collected & why
the data belongs to the users and users (consumers) should always have access to it

The gold standard law: GDPR in the EU

Ars Technica | Tim Cook Calls for Strong US…

Lege TREND. Data Breach Notification. State Preemption. 3 Reasons states oppose.

HR 6743 (2018) will preempt state data breach rules.

Opposition includes:

States with stronger data reech laws
States with stronger protection of insurance consumers
Hampers state ability to investigate and mitigate damages in the state

Lake County News | Jones urges House to oppose bill that undermines California security data protections

Business TREND. Cyber Insurance Growth Estimates.

German reinsurance giant Munich Re estiamtes cybcer insurance market will:

double by 2020 to over 8 billion dollars
corporate spending will be $3.4-$4 billion (3-3.4 billion euros) in 2017
corporate spending will be up to $8-$9 billion by 2020
economic costs of large-scale cyber attacks already exceeds losses caused by natural disasters

PHYS.ORG | Cyber insurance market to double by 2020, says Munich Re

Health Care Data TREND. Governors Association Plan. 5 Steps.

8 States collaborating with the Governors Association
- Arkansas, Colorado, Delaware, Indiana, Iowa, Minnesota, Vermont and Washington
Establish best practices for health care data
Really long name: “Harnessing the Power of Data to Achieve State Policy Goals: The Foundation for State Success in Improving Quality and Reducing Costs,”
16 months
Goals:
- enable a fuller and better use of the countless health-care data streams they collect and maintain
- legislative fixes
- regulatory fixes

Legal TREND. Do Cyber Security Insurance Policies Cover Phishing Scams?

Courts have ruled that business cyberinsurance does cover phishing attacks and other courts have ruled that cyberinsurance does not cover phishing scams.

Coming to a regualtor or legislator near you soon….

LegalTech News | Cyber Insurance Growing Pains: Sixth Circuit Overturns Email Phishing Ruling

+1 State Requiring Cybersecurity for Insurance Licensees

State: South Carolina

The Legislation: House Bill 4655 (2017-2018 | SC). South Carolina Insurance Data Security Act

Requirements for South Carolina Insurance Licensees:

insurers tmust “develop, implement, and maintain a comprehensive information security program” for their customers’ data
based on model law with 3 steps and a 1/1/2019 effective date:
- prevent breaches
- detect unwelcomed access to data
- remediate after a breach
including 3rd party oversight, with a 7/1/20 effective…