select
This is a tooltip for the edit command button
Fred E. Karlinsky, Esq.
GREENBERG TRAURIG LLP
(954) 768-8278
Christian Brito, Esq.
GREENBERG, TRAURIG, P.A.
(954) 768-8279
Timothy F. Stanfield, Esq.
GREENBERG TRAURIG, P.A.

CYBERSECURITY AND DATA PRIVACY IN THE INSURANCE INDUSTRY MAINTAINING A CULTURE OF COMPLIANCE WITH EVOLVING STANDARDS

In recent years, there have been several major data breaches involving large companies that have exposed and compromised the sensitive personal information of millions of consumers across the United States. Despite record-shattering data breaches the United States has yet to develop a uniform and comprehensive regulatory scheme for data. Instead, there are piecemeal responses at the federal level, which, at times, compete with individual state laws.

The EU General Date Protection Regulation (GDPR) only complicates matters further because those standards and the regulators that enforce them are not bound by United States regulatory and litigation norms.

The U.S. government has generally approached privacy and security by regulating data security for specific sectors like healthcare and finance. A good example is the Health Insurance Portability and Accountability Act (HIPAA), which is the United States’ primary health privacy and security law, and applies only to “covered entities” holding “protected health information.” Separate privacy laws govern specific areas of the U.S. health-care system. For example, student immunizations and other school health records are generally covered by the Family Educational Rights and Privacy Act, (FERPA), which was enacted in 1974. 

FERPA, in turn, intersects with and sometimes conflicts with the Children’s Online Privacy Protection Act of 1998, which protects data of children under the age of thirteen.

California enacted the first data-breach notification law in 2003, and was followed by forty-eight states that have since passed laws that require individuals to be notified if their information is compromised. These laws have different and sometimes incompatible provisions regarding what categories and types of personal information warrant protection, which entities are covered, and even what constitutes a breach. Notification requirements also vary greatly among states. For example, New Jersey requires that the state police Cyber Crimes Unit be notified, while Maryland requires that the state’s attorney general be notified before any affected individual is notified.

The California Consumer Protection Act, (CCPA), which took effect on Jan. 1, 2020, is arguably the most comprehensive privacy law in the United States. Inspired by the GDPR, the CCPA requires companies to comply with numerous requirements related to collecting and processing the personal information of California consumers, including a 12-month look back period for consumer requests. Companies that fail to comply with these new privacy regulations may face regulatory enforcement actions, steep fines, consumer litigation, and loss of customer goodwill.

The insurance industry and financial services sector are subject to some of the most recent and comprehensive data privacy and protection laws and regulations in the United States. Insurance regulators across the country have taken note of high-profile breaches involving U.S. insurers and have made cybersecurity and consumer data protection a top priority. As a result, some states have developed comprehensive cybersecurity laws and regulations that specifically apply the insurance or financial services industries.   

The New York Department of Financial Services’ landmark Cybersecurity Regulations for insurance companies and financial institutions, were passed in 2017 and have since taken effect. The rule requires insurance companies, banks, and other financial services companies regulated by the New York DFS to adhere to strict standards to protect consumers from cyber threats.

The rule implements a host of requirements including the creation and filing of an Annual Risk Assessment, which will be used to evaluate an entity’s cybersecurity policies. The assessment must include how identified risks will be evaluated; how the entity’s systems and controls will be evaluated for adequacy; and how risks will be either accepted or mitigated. Another key requirement of New York’s regulation is the establishment of a Cybersecurity Policy. 

The Cybersecurity Policy should be developed based on the Risk Assessment, and must be approved by the company’s Board of Directors, or board committee, as appropriate. The Policy is the company’s statement of how it will protect data. There are required elements of the Policy, including software protections, physical safeguards, training requirements, and breach response plans.   The decision-making process behind the development of the policy, and any subsequent amendments, should be well documented because, like the Risk Assessment, the Cybersecurity Policy can be reviewed by regulators and their examiners.

Companies must have written policies for ensuring third-party contractors do not compromise data. The policies must include guidance for identifying risks posed by third party service providers, minimum standards that must be adopted by contractors, guidance for selecting contractors, and guidance for the periodic evaluation of service providers. 

Although planning for cybersecurity breaches is implicit in the requirements, there is a specific requirement for Incident Response Plans. These written plans must be prepared in advance based on the Risk Assessment, and should describe the procedures personnel will follow, the roles and responsibility of to remediate or mitigate the harm caused. There is also a notice requirement to the Superintendent of the New York DFS for types certain breaches, although important, it is not a blanket requirement to report every breach. If the entity must report the breach to another government agency or supervisory body, such as the Financial Industry Regulatory Authority or another insurance department, then notice must also be provided to the Superintendent of the New York DFS. Other breaches must only be reported if there is a “reasonable likelihood of material harm” to the entity.

In early 2016, the National Association of Insurance Commissioners (NAIC) began drafting the Insurance Data Security Model Law. This model was adopted by the NAIC in October 2017 following extensive deliberations and input from state insurance regulators, consumer representatives and the insurance industry. State adoption of the model is critical for state insurance regulators to have the tools they need to better protect sensitive consumer information 

The New York Cyber regulation had a significant impact on the development of the NAIC Model. The Model requires insurers and other entities licensed by a state department of insurance to develop, implement, and maintain an Information Security Program (ISP). Licensees investigate cybersecurity events in accordance with its requirements and notify the state’s insurance commissioner of any cybersecurity events.

The ISP must contain administrative, technical, and physical safeguards for the protection of non-public information and the licensee’s information security system. The ISP should also be commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the non-public information used by the licensee or in the licensee’s possession, custody or control. The ISP must be developed and maintained based on an ongoing internal risk assessment.

Alabama, Connecticut, Delaware, Michigan, Mississippi, New Hampshire, and Ohio now join South Carolina as early adopters of the NAIC law. 

It is important to note that, since each state will likely adopt its own version of the NAIC model, the New York Cybersecurity Regulation, or some variant of the two, we can expect to see variation between state requirements over the next several years. Companies will need to decide how best to approach compliance with potentially inconsistent requirements.

In that regard, companies must ensure that they have robust compliance protocols in place to stay abreast of new and developing laws in order to ensure that they achieve a culture of compliance within required timeframes. In addition, given the ever-evolving U.S. regulatory landscape, companies should begin implementing certain internal cybersecurity measures prior to adoption by regulators.  

To that end, companies can look to legal and regulatory schemes like the New York DFS Cybersecurity Regulation, the CCPA, and the NAIC Model as examples of requirements they will likely be required to comply with in the future.

Companies should conduct an annual risk assessment. The risk assessment should be used to inform the entity’s cybersecurity written policies and procedures. Written guidelines must include how identified risks will be evaluated, the adequacy of the entity’s systems and controls, and how risks will be either accepted or mitigated. The assessment should be a meaningful review of the company’s cyber resiliency. If done right, it should help an entity understand its vulnerabilities and plan accordingly.  Some key areas that the cybersecurity program must cover include software protections, physical safeguards, training, and breach response plans. 

Insurance company boards must be involved in their companies’ cybersecurity and data privacy activities and must go beyond merely “check-the-box” compliance. Cybersecurity risk is quickly morphing into enterprise risk, which creates the need for a whole-company approach. This means that cybersecurity is not just a problem for the company’s IT department—today, it is everyone’s problem, especially the board.

This article was originally published in the Winter 2020 edition of the Demotech Difference (www.demotech.com). 

References