On February 4, 2021, the New York Department of Financial Services (NYDFS) issued Circular Letter No. 2 announcing a Cyber Insurance Risk Framework (the Framework) that describes industry best practices for New York-regulated property/casualty insurers. Issuance of the Framework is notable as it represents the first official guidance by a U.S. regulator concerning the increasingly critical issue of cyberinsurance. And while circular letters do not establish new legal requirements or have the force of law, they do set forth the department’s interpretation of the requirements of existing laws and regulations.1
Most cybersecurity professionals are aware of the New York Department of Financial Service’s requirement imposed on DFS-licensed entities to certify their cybersecurity program’s compliance on an annual basis (by April 15th of each year), but less well known is that numerous other states impose similar requirements on regulated insurance entities and that deadline for many states is coming up on February 15, 2021.
On December 28, 2018, Michigan adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law in the form of Michigan H.B. 6491 (Act). By doing so, Michigan joins Ohio and South Carolina as the third state to adopt the Model Law and the fifth state – along with Connecticut and New York – to have enacted cybersecurity regulations focused on insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (Please see our prior coverage for more information on Ohio and South Carolina’s adoption of the Model Law). Moreover, adoption of the Model Law is still gaining steam with Rhode Island potentially next in line.
On December 19, 2018, Ohio adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. By doing so, Ohio joins South Carolina as the second state to have adopted the Model Law and the fourth state – along with Connecticut and New York – to have enacted cybersecurity regulations for insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (For more information on South Carolina’s adoption of the Model Law, see our prior coverage.) (more…)
Three Boston-area hospitals collectively paid just under $1 million to settle allegations that they violated HIPAA by improperly disclosing patients’ identities and other protected health information during onsite filming of a television network documentary. According to the Department of Health and Human Services Office for Civil Rights (OCR)’s September 20, 2018 press release, the three hospitals – Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) – permitted film crews to film an ABC television network documentary series on premises without first obtaining authorizations from patients. Collectively, the three hospitals paid $999,000 to settle potential violations of the HIPAA Privacy Rule, with BMC paying $100,000, BWH paying $384,000, and MGH paying $515,000.
On December 17, 2015, the Executive/Plenary Committees of the National Association of Insurance Commissioners (NAIC) unanimously adopted an amended version of the Cybersecurity “Bill of Rights.” Renamed the “NAIC Roadmap for Cybersecurity Consumer Protections,” the document now states that while the NAIC believes consumers are entitled to the delineated protections, not all are currently provided for under state law.