New State Cybersecurity Laws and Requirements in the Insurance Industry

By Steven L. ImberJennifer Osborn Nix, and Daniel L. Farris

Recent high profile data breaches involving large, prominent insurers have caused state insurance regulators to ramp up efforts related to cybersecurity issues.  These breaches have impacted tens of millions of individuals at a time, and resulted in multi-state market conduct examinations with each examination involving 50 plus jurisdictions. 

These multi-state market conduct examinations typically focus on:

  • Cybersecurity aspects of the breaches;
  • The companies’ responses to the breaches and any corrective action taken; and
  • The financial impact of the breaches on consumers, providers and the companies.

The National Association of Insurance Commissioner's Cybersecurity Task Force recently adopted Principles of Effective Cybersecurity Insurance Regulatory Guidance (“Cybersecurity Guidance Document”) consisting of 12 principles for effective insurance regulation of cybersecurity risks.  The 12 Principles apply to all licensees possessing personally identifiable consumer information including insurers, Third Party Administrators, and insurance producers.

In addition to the Cybersecurity Guidance Document, data security laws have recently been enacted in Connecticut, Oregon, Washington, and Rhode Island.  These new laws create new duties to report data breaches, amend or address encryption or require implementation of a comprehensive information security program.

Polsinelli’s Insurance and Privacy and Data Security practices include attorneys specializing in cybersecurity and other privacy and data security issues, as well as attorneys who were formerly insurance regulators. We can help companies create effective cybersecurity programs, including but not limited to:

  • Developing a Cybersecurity Testing Plan;
  • Monitoring and providing advice regarding state and federal cybersecurity laws;
  • Developing a Breach Response Plan; and
  • Modifying existing contracts/agreements to address cybersecurity issues and requirements. 

For more information, please contact the authors or your Polsinelli attorney.