Late in 2018, the state of Ohio started the process of implementing the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. Ohio will become the second state in the United States to move forward with adopting this law framework, following South Carolina. The original model law developed by NAIC in 2017 looks to introduce multiple measures in order to improve current cybersecurity implementations specifically for insurers.
The model law is also written to provide a level of standardization to reduce ambiguity between each individual firm, allowing each to understand what exactly the law requires, should the states implement it.
The impetus for the creation of the NAIC Insurance Data Security Model Law was a handful of large security breaches in the insurance industry in 2015. NAIC wanted to generate a model law that would be practical in nature to encourage states to adopt the guidelines and keep the subsequent cybersecurity laws as consistent as possible so the industry could collectively comply. The model law addresses both standards for preventative measures, as well as standards for investigations post-breach.
Link to the original NAIC Model Law: https://www.naic.org/store/free/MDL-668.pdf
What does this mean for Ohio?
The Act put forth by Ohio has much of the same framework as the original model law. Some of the main points of the original model law are as follows.
- Risk Assessment to determine necessary controls, potential damage of various threats, and how current policy manages the threats;
- Risk Management to mitigate identified risks during the assessment by introducing appropriate security measures, physical or digital;
- Oversight by Board of Directors, which may delegate responsibility of the development, implementation, and maintenance of the cybersecurity plan, but are held directly accountable;
- Program Adjustments as an ongoing effort to maintain proper risk assessment and management; and
- Incident Response Plan in order to have a course of action in the event of a breach to act quickly and concisely.
Ohio took these tenants and added some amendments. First, there is a Tort Safe Harbor section (See our previous blog post, Ohio Data Protection Act Offering Safe Harbor). Second, Ohio inserted a restriction on what constitutes a “cybersecurity event” that would require reporting. Thus, only breaches that are deemed most likely to affect consumers will be focused on. Finally, the “72-hour Rule” of the model law was transitioned into a “3-Business-Days Rule” to report an event after a determination is made that one occurred.
Link to Ohio Senate Bill 273: https://www.legislature.ohio.gov/legislation/legislation-summary?id=GA132-SB-273
A cybersec revolution in the works
A cybersecurity revolution is in the works, and perhaps overdue, as it seems like corporate breaches are happening on a consistent basis. Adopting the NAIC Insurance Data Security Model Law will allow the insurers of Ohio to adhere to a standardized cybersecurity initiative to better protect their data and be informed as to what their responsibility is to their clientele. In our opinion, it will also likely lead to the requirement for insureds to adopt similar types of requirements if they are not already following an applicable framework (i.e. NIST Cybersecurity Framework, ISO27001, etc.)
By Ian Finch, BS, CGFA,
Senior Forensic Analyst
Vestige Digital Investigations