On May 27, 2022, Vermont Governor Phil Scott signed H.515, making Vermont the twenty-first state to enact legislation based on the National Association of Insurance Commissioners Insurance Data Security Model Law (“MDL-668”). The Vermont Insurance Data Security Law applies to “licensees”—those licensed, authorized to operate or registered, and those required to be licensed, authorized or registered, under Vermont insurance law, with few exceptions. The new law generally follows MDL-668’s provisions, adopting the model law’s broad definition of nonpublic information and requiring licensees to, in part, maintain a written information security program (“WISP”) and investigate cybersecurity incidents. Unlike other state laws based on MDL-668, however, the Vermont Insurance Data Security Law declines to establish separate cybersecurity event notification requirements for licensees.
Information Security Program Requirements
Under the new law, licensees must develop, implement and maintain a comprehensive WISP that contains administrative, technical and physical safeguards for the protection of nonpublic information and the licensee’s information system. Licensees must conduct a risk assessment to create a WISP “commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the nonpublic information.” Among other requirements, licensees’ information security programs will be required to:
- monitor emerging threats or vulnerabilities and use reasonable and appropriate security measures when sharing nonpublic information;
- annually assess the effectiveness of existing information safeguards;
- designate an employee, affiliate or outside vendor that is responsible for the information security program;
- provide cybersecurity awareness training to personnel and update the training as necessary;
- conduct due diligence when selecting third-party service providers, who must be required to implement appropriate administrative, technical and physical measures to protect licensees’ information systems and nonpublic information;
- develop and periodically reevaluate a retention schedule and destruction mechanism for nonpublic information; and
- establish a written incident response plan.
Licensees must annually certify their compliance with these information security program requirements in writing to the Vermont Deputy Commissioner of Insurance (the “Commissioner”) by April 15 and maintain records supporting the certification for five years. If a licensee has a board of directors, it also must provide the board with an annual written report on the WISP, compliance with the Vermont Insurance Data Security Law and other material matters related to information security.
Cybersecurity Event Investigation and Notification Requirements
Under the law, licensees must promptly investigate actual and potential cybersecurity events and undertake reasonable corrective measures. Licensees must maintain records about these cybersecurity events for at least five years. However, unlike MDL-668 and other state laws based thereon, the law does not impose notification obligations on licensees following a cybersecurity event. Instead, licensees are bound by the notification requirements of the Vermont Security Breach Notice Act, 9 V.S.A. § 2435.
Certain Licensees Are Exempt from the Law’s Requirements
Licensees will be exempt from the law’s information security program requirements if they (1) have fewer than 20 employees, including independent contractors; (2) are subject to HIPAA, maintain a HIPAA-compliant information security program and submit an annual written certification to the Commissioner; (3) are an employee, agent or representative of another licensee that is covered by the other licensee’s information security program; or (4) can produce documentation, as requested by the Commissioner, that they are subject to and in compliance with the interagency guidelines establishing standards for safeguarding customer information as set forth under the Gramm-Leach-Bliley Act.
Licensees are wholly exempt from the law if they are compliant with the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies (23 NYCRR §§ 500.0 to 500.23) and they submit a written statement to the Commissioner certifying such compliance.
Enforcement and Penalties Under the Law
The law is to be enforced by the Commissioner and does not contain a private right of action. The Commissioner can investigate licensees to determine if they have violated the law, suspend or revoke the licensee’s license, report violations to the Vermont Attorney General for prosecution and issue administrative penalties of $1,000 per violation or $10,000 per willful violation.
The law will go into effect on January 1, 2023. However, licensees will have until January 1, 2024 to comply with the information security program requirements and until January 1, 2025 to implement the third-party diligence requirements.