Following in the footsteps of the New York Department of Financial Regulation (NYDFS) in enacting cybersecurity requirements for the financial services industry, and in response to massive data breaches in the insurance industry, a wave of states have either enacted or are pursuing legislation aimed at regulating the cybersecurity measures of insurance companies.

In 2017, the National Association of Insurance Commissioners (NAIC) published a model rule that follows many of the NYDFS cybersecurity requirements, and most states are using that model in fashioning legislation for the insurance industry.

South Carolina, Michigan, and Ohio enacted cybersecurity laws applicable to insurance companies in the past year, and Mississippi, Connecticut, and New Hampshire have bills pending in their legislatures. More to come, for sure.

Since some states are not using the model law, there will be some variations from state to state. But basic security measures will be required in most of them, including having a Written Information Security Program (WISP) in place, completing a security risk assessment, and implementing procedures around incident response and breach notification.  Just as in other areas of the law, such as breach notification, it will be important to follow the most stringent law if a company does business nationally or in multiple states and to stay current as states adopt new laws regulating cybersecurity.

View Original Source
Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, and complex litigation. She is a member of the Business Litigation Group and chair’s the firm’s Data Privacy and Security Team. She currently serves as general counsel to the Rhode Island Quality Institute. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations, as well as emergency data breach response and mitigation. She counsels clients on state and federal data privacy and security investigations and data breaches. Prior to joining the firm, Linn was a partner at Nixon Peabody, where she served as leader of the firm’s Privacy & Data Protection Group. She also served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.