In April 2022, two states enacted insurance data security legislation based on the National Association of Insurance Commissioners (“NAIC”) Insurance Data Security Model Law (MDL-668). Kentucky Governor Andy Beshear signed HB 474 into law on April 8, 2022, and Maryland Governor Larry Hogan signed SB 207 into law on April 21, 2022. The new laws establish data security obligations for insurance carriers and generally require carriers to take the following actions, subject to certain exemptions:
- Conduct risk assessments;
- Develop, implement and maintain a comprehensive written information security program based on the risk assessment and ensure that the program includes (1) specified data security safeguards, (2) requirements for secure development practices, and (3) a cybersecurity incident response plan;
- Stay informed of emerging threats and vulnerabilities, and use reasonable security measures when sharing information;
- Address cybersecurity risks in relevant enterprise risk management processes;
- Provide cybersecurity awareness training to personnel;
- Obligate service providers to implement and maintain appropriate data security measures;
- Provide regular reporting to the insurance carrier’s board of directors on the overall status of the information security program, the insurance carrier’s compliance with the data security law, and material matters related to the information security program (such as risk assessments, risk management and control decisions, results of cybersecurity testing, cybersecurity events, and recommendations for any changes to the information security program);
- Submit written compliance certifications to the relevant state Insurance Commissioner on an annual basis;
- Maintain records of the insurance carrier’s compliance with the law and its own information security program; and
- Report certain cybersecurity incidents to the relevant state Insurance Commissioner within three business days of a determination that a cybersecurity incident has occurred.
Maryland’s law takes effect on October 1, 2022, with certain grace periods for compliance as follows:
- Insurance carriers have until (1) October 1, 2023, to comply with many of the law’s requirements for a written information security program, and (2) October 1, 2024, to implement required service provider oversight requirements.
Kentucky’s law goes into effect on January 1, 2023. Similar to Maryland, the Kentucky law grants a one-year grace period with respect to the requirement to establish a written information security program and a two-year grace period for compliance with relevant service provider oversight requirements.