ODI Issues Guidance for Mandatory Reporting of Insurance-Related Data Breaches
Ohio became the third state to enact insurance-specific legislation pertaining to data security on March 20. While most of the bill’s requirements have staggered implementation dates, there is a portion that took effect in March.
If you believe your agency may have had a cybersecurity event occur that involved nonpublic information either in your system or in a system maintained by a third-party vendor, you are now required to take certain steps to address it.
The Ohio Department of Insurance (ODI) recently released several items to provide guidance to insurance agents and companies if a breach is thought to have occurred.
NEW INVESTIGATION AND BREACH REQUIREMENTS
Under Senate Bill 273, all agencies, regardless of size, are now required to comply with requirements to conduct a prompt investigation should they learn that a cybersecurity event that involves nonpublic information has or may have occurred either in their system or that of a third party vendor.
"Nonpublic information" means information that is not publicly available information and is one of the following:
(1) Business-related information of a licensee the tampering with, unauthorized disclosure of, access to, or use of which, would cause a material adverse impact to the business, operation, or security of the licensee;
(2) Information concerning a consumer that because of the name, number, personal mark, or other identifier contained in the information can be used to identify that consumer in combination with any one or more of the following data elements:
Social Security number;
Driver's license, commercial driver's license, or state identification card number;
Account, credit card, or debit card number;
Any security code, access code, or password that would permit access to the consumer's financial account;
(3) Any information or data, except age or gender, that is in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to any of the following:
The past, present, or future physical, mental, or behavioral health or condition of the consumer or a member of the consumer's family;
The provision of health care to the consumer;
Payment for the provision of health care to the consumer.
In addition, in certain instances, notification of a breach may be required to ODI within three business days. In the case of an agent discovering a cybersecurity event in a system maintained by a third-party service provider, any notification deadline would begin on the day after the third-party service provider notifies the agent of the cybersecurity event or the agent otherwise has actual knowledge of the cybersecurity event, whichever is sooner.
Where to find guidance
Several resources to help agencies comply with this requirement have been added to the newly-created Information Security Resource Center on ODI’s website. The resources that can be found to assist agents and companies include:
Please contact OIA and your cyber insurance carrier immediately if you think you may have had a cybersecurity event, so that we can help you understand any obligations you may have to report the event to ODI or to consumers.
Other Requirements of Ohio’s New Insurance-Specific Cybersecurity Law
OIA was able to make several improvements to Ohio’s cyber bill for agents, beyond what exists in the national model legislation and cyber bills that have passed in other states.
Notably, the majority of Ohio agencies will have a large burden alleviated as they will be exempt from a requirement to develop a comprehensive written cyber plan and exercise due diligence in selecting third-party service providers.
This is a big win, as the national model legislation sets the exemption at agencies with fewer than ten employees, including independent contractors.
Additionally, Ohio’s cyber law has language added that states that the superintendent of insurance shall consider the nature, scale and complexity of licensees (i.e. insurers and agencies) in administering the cyber law and adopting any rules necessary to implement the law.
This means consideration will be given to the ability of agencies to comply with the complexity of the law, and that any further rules developed should be “right-sized.”
WRITTEN CYBER PLAN AND THIRD-PARTY SERVICE PROVIDER DUE DILIGENCE REQUIREMENTS
Agencies are exempt from the requirement to develop and maintain a comprehensive written cybersecurity plan and exercise due diligence requirements over third-party service providers if they meet any of the following criteria:
(1) Have fewer than twenty employees.
(2) Have less than five million dollars in gross annual revenue.
(3) Have less than ten million dollars in assets, measured at the end of the agency’s fiscal year.
Agencies not exempt from these requirements have plenty of time to get ready to comply, as the requirements for a written cybersecurity plan are delayed for one year following the effective date of the bill (March 20, 2020), and the due diligence requirements for third- party service providers have a two-year delay (March 20, 2021).
WHAT YOU NEED TO DO RIGHT NOW
At this time, there is nothing you need to do (that is unless you think you may have had a data breach). Stay tuned -- OIA will continue to keep you informed on these new cyber requirements as more information becomes available to help comply with the various provisions of the bill.
Big ‘I’ Cyber Resources
NEED CYBER INSURANCE?
We can help! Click below to learn more about OIA's cyber coverage options!