What Every P&C Carrier Needs to Know About Data Protection and Privacy

Data breaches made headlines around the world in 2018. Companies like T-Mobile, Quora, Google, Orbitz and Facebook were affected, exposing the personal information of millions of people.

Data protection and privacy are serious issues in today’s hyper-connected world, and they’re taking center stage in many state legislatures. The risks and challenges of data security should be of utmost concern for companies, agents and brokers in the property and casualty insurance field.

Top Issues in Insurance Data Security and Privacy

Questions of data security, protection and privacy arise daily. What causes these attacks, and how can they be stopped?

“Data breaches can happen for a variety of reasons. Some companies are hacked. Data can be mishandled or sold to third parties. Holes in a website’s security system can leave information unprotected,” says Paige Leskin at Business Insider.

Companies face a continuously pressing need to protect customer and business data while still making communication simple and accessible for all. 2018 marked the first year in which many states took active regulatory measures to address this challenge. As insurance data security legislation increases, the questions around such laws become more complex for insurance companies.

Patchwork Regulations

One of the largest issues facing insurance providers is a lack of consistent data security and privacy requirements across various states.

State responses to data protection and privacy concerns have appeared in a patchwork fashion. All 50 states currently have data breach notification laws, but the majority have not addressed cyber security in the insurance context specifically, say Bindu Nair and Sean B. Hoar, attorneys at Lewis Brisbois Bisgaard & Smith LLP.

For instance, California’s data privacy law gives consumers unprecedented control over their personal data, posing both challenges and opportunities for insurance companies that operate in the state, says Don Jergler in Insurance Journal.

These laws vary by state currently, but the idea of a nationwide data breach law is being endorsed by the US Treasury Department, say Nair and Hoar.

Data Protection Costs

Changes in data protection regulations are also leading to cost concerns for property and casualty insurers, particularly when these companies are already facing the twin challenges of falling auto insurance enrollment and rising property damage claims.

“The real effect will be an enormous ballooning to the cost of compliance, which is likely not part of the institution’s current budget,” predicts Richard Fernandez, a cyber liability specialist.

The cost will include the need for staff who are dedicated to cyber security and compliance, which are required by several recently enacted state laws. As various courts have reached different decisions on civil litigation involving breaches of customer data, insurance companies also face an increasingly complex legal landscape, says attorney Kimberly Horn.

States Take Action on Data Security

In the absence of a unified federal response to insurance data security, US states have begun regulating the question themselves. New York and Rhode Island have enacted rules regarding insurance data protection and privacy, while South Carolina, Michigan and Ohio adopted a model law in 2018.

Additional states — including Georgia, Illinois, Kentucky, Maryland and Virginia — are considering insurance data security laws. Such state-initiated changes require local property and casualty insurers to confront an increasingly complex regulatory landscape, says Christopher M. Brubaker at PropertyCasualty360.

New York

New York paved the way for insurance-specific data protection regulations. The state’s Department of Financial Services (DFS) implemented a cyber security regulation in 2017. It required insurance companies to implement multifactor authentication for data access and report cybersecurity incidents within 72 hours. It also involved additional requirements around governance and accountability in the form of a chief information security officer (CISO), says Larry Bianculli, managing director at CCSI.

The NAIC Insurance Data Security Model Law, released in late 2017, is based on the New York regulations. Several states have adopted the model law entirely, while others are considering bills that would enact some of the model law’s provisions.

South Carolina

South Carolina made headlines in May 2018 by becoming the first state to adopt the NAIC Insurance Data Security Model Law.

South Carolina’s law requires both individuals and companies licensed under South Carolina’s insurance laws to meet new requirements regarding data security. Central to the law is the requirement to create a comprehensive written information security program (WISP), says Nameir Abbas, an attorney at Alston & Bird.

If a data breach occurs, insurers are required to investigate the event, assess its nature and scope, identify compromised information and “undertake reasonable measures to restore the security of the information compromised,” say Joshua Mooney, Richard Borden and Sedgwick Jeanite at White & Williams LLP. Insurers are also required to report certain events to the state’s insurance department.

Michigan and Ohio

Michigan and Ohio also enacted insurance data security laws in December 2018, adopting the NAIC Insurance Data Security Model Law. The new laws apply to any individual or company licensed by the respective states’ insurance departments.

Michigan’s law also incorporates several provisions of the state’s ID Theft Prevention Act, says Kate Hanniford, an attorney and cybersecurity response team member at Alston & Bird.

Ohio’s law only covers insurers, agencies and brokers that do business in Ohio. “Reinsurers domiciled outside of Ohio as well as risk retention groups and purchasing groups chartered and licensed in another state are excluded from the Act,” say Edward R. McNicholas and Thomas D. Cunningham, attorneys and partners at Sidley.

Understanding the Insurance Data Security Model Law

The NAIC Insurance Data Security Model Law “establishes a legal framework for requiring insurance organizations to operate complete cybersecurity programs,” says Matt Franko, a security, privacy and risk director at RSM. This framework covers a wide range of data security issues, from cybersecurity testing and board oversight to incident response plans and breach notification procedures.

The model law has already been adopted by several states, and it is under consideration in additional state legislatures. Its popularity makes it worth consideration by P&C insurance companies, agents and brokers.

Three notable provisions define this legislation, say Andreas Kaitsounis and Shea M. Leitch, attorneys at Baker Hostetler. First, the model law defines nonpublic information broadly, including not only customers’ personal information but also certain types of sensitive business information.

“As just one example, this means that a ransomware event that cripples an entity’s business operations would likely trigger a notice obligation even if the event did not involve personal information,” say Kaitsounis and Leitch.

The model law also sets strict requirements for information security programs, including written programs, incident response plans and oversight requirements both within the organization and in third-party relationships.

Finally, the model law’s confidentiality provisions are quite broad, protecting information related to cybersecurity events from public records requests, subpoenas or use in private civil litigation.

Although the NAIC has actively promoted the adoption of its model law by various states, the model law itself has no effect until it is enacted by a state legislature. To date, several states have enacted the model law with modifications to suit their own existing insurance regulation systems.

For example, while the model law gives insurers only one year to comply with its regulations, Michigan has enacted a system to phase in the requirements over a longer period. The law takes effect on January 20, 2021, giving insurers one year to comply with most of the provisions and two years to meet requirements for third-party service providers, say Lawrence R. Hamilton, Jeffrey P. Taft and Matthew Bisanz at PropertyCasualty360.

The model law requires insurers to follow a state’s general requirements for data breach notification. Yet both Ohio and Michigan replaced this language with specific data breach notification requirements that apply solely to insurance agents, brokers and companies covered by the act, says attorney and shareholder Josephine Cicchetti.

As states continue to test their own iterations of the model law, insurance carriers will need to note the changing nature of data privacy regulations both across geographies and over time.

Images by: Sergey Nivens/©123RF.com, swollowpp/©123RF.com, stylephotographs/©123RF.com