On December 19, 2018, Ohio adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. By doing so, Ohio joins South Carolina as the second state to have adopted the Model Law and the fourth state – along with Connecticut and New York – to have enacted cybersecurity regulations for insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (For more information on South Carolina’s adoption of the Model Law, see our prior coverage.)
Ohio enacted the Model Law in the form of Ohio SB273 (Act), which, inter alia, adds Sections 3965.01-11 to the Ohio Revised Code. The Act is designed to “establish standards for data security and for the investigation and notification to the Superintendent of Insurance of a cybersecurity event.”
Ohio’s Act applies to licensees, defined as persons authorized, registered, or licensed under Ohio insurance laws, or required to be so. Ohio Revised Code (O.R.C.) § 3965.01(M). This means all insurers, agencies, and brokers doing business in Ohio are covered. By contrast, reinsurers domiciled outside of Ohio as well as risk retention groups and purchasing groups chartered and licensed in another state are excluded from the Act. Id.
The Act requires licensees to:
- Develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to protect nonpublic information and the licensee’s information system within one year of the effective date of the Act;
- Perform a risk assessment that includes determining the appropriateness of implementing protections such as multifactor authentication, regular penetration testing, and encrypting data at rest;
- Develop a formal incident response plan to respond to a cybersecurity event as defined;
- Require their third-party service providers to implement security measures to protect and secure any information systems and personal information within two years of the effective date of the Act;
- Report data breaches to the Superintendent within three (3) business days after determination that a cybersecurity event has occurred; and
- Retain for five years all records supporting concerning a cybersecurity event for inspection by the Superintendent.
In addition, the Act holds a licensee’s board of directors directly responsible for the oversight of the cybersecurity program and its results and makes the executive management solely responsible for all program governance activities and compliance reporting. O.R.C. § 3965.02(E).
The Act calls for promulgation of rules for its implementation, which rules must “consider the nature, scale, and complexity” of licensees in administering the law. O.R.C. § 3965.11.
While the Act largely tracks the Model Law, it departs from it in several significant respects:
Tort Safe Harbor
Like Ohio’s recently enacted Data Protection Act (O.R.C. 1354) (see our prior coverage), licensees deemed to have implemented a cybersecurity program that reasonably conforms to an industry-recognized cybersecurity framework are entitled under the Act to an affirmative defense to certain state tort actions. Such actions must be brought under Ohio laws or in an Ohio court and must allege that a failure to implement reasonable information security controls resulted in a data breach concerning personal information or restricted information. O.R.C. §§ 3965.02, 3965.08.
Exclusive State Cybersecurity Standards
The Act and rules promulgated thereunder are the “exclusive state standards and requirements applicable to licensees regarding cybersecurity events, the security of nonpublic information, data security, investigation of cybersecurity events, and notifications to the superintendent of cybersecurity events.” O.R.C. § 3965.09. The Act does not, of course, supersede federal privacy or data security laws, such as HIPAA.
“Materiality” Trigger for Reporting
The Act limits the definition of cybersecurity event to the unauthorized access or misuse of information “that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee.” O.R.C. §§ 3965.01, 3965.04. In this way, the Act focuses on those breaches most likely to cause harm to consumers. Like the Model Law, the Act excludes from the definition of cybersecurity event any nonpublic information that was encrypted. O.R.C. §§ 3965.01(E).
Three Business Days to Report
Unlike the 72-hour requirement of the Model Law, the Act requires a licensee to report a cybersecurity incident within “three business days” after a determination that one has occurred. O.R.C. § 3965.04(A). After initial reporting of a cybersecurity event, the Act requires a licensee to update the Superintendent only for “material developments” relating thereto. O.R.C. § 3965.04(A)(2).
De Minimis Exception
Certain small licensees are exempt from the Act, namely those with: (i) fewer than 20 employees; or (ii) less than $5 million in gross annual revenue; or (iii) less than $10 million in assets at the end of the licensee’s fiscal year. O.R.C. § 3965.07(A). HIPAA-compliant licensees are also deemed to be in compliance with the Act, provided they submit a certificate of compliance to the superintendent. O.R.C. § 3965.07(B).
* * *
Ohio marks the fourth state to have adopted insurance-specific cybersecurity rules, with two having adopted the Insurance Data Security Model Law. With an increasing regulatory focus on cybersecurity and several other states considering the Model Law, we will likely see more states adopting the Model Law in 2019.