Effective July 1, Indiana added a new section to the Indiana Insurance Code (the “Act”) that covers Insurance Data Security. The changes require all regulated insurance companies licensed in Indiana to follow new data security and notification requirements. This article summarizes Indiana’s adaptation of the NAIC Insurance Data Security Model Law into the state insurance code.
- Maintain the security of information systems and non-public information
- Promptly Investigate cybersecurity events
- Notify Individuals of cybersecurity events
- Notify the Commissioner of Insurance of actual or potential cybersecurity events
What is Non-Public Information?
The Act requires licensees to protect non-public information, including certain business-related information, any personal information such as Social Security Numbers, identification numbers, or biometric data, or any consumer healthcare information on treatments, conditions, or payments. Now is the time to review the collection of non-public data, reduce unnecessary data collection, and delete the rest, minimizing risk in the case of a breach.
Who is a Licensee?
Generally, a licensee is an individual or a company that holds an insurance license from the state licensing agency. The Act defines a “licensee” as a person that is required by Indiana to be:
- licensed, authorized to operate, or registered; or
- required to be licensed, authorized to operate, or registered;
A Licensee does not include any of the following:
- A purchasing group or risk retention group that is chartered and licensed in another state.
- A person that is:
- acting as an assuming insurer; and
- domiciled in a state or jurisdiction other than Indiana.
It is essential to know the Act defines a “person“ as the following:
- an individual;
- a business entity;
- a multilateral development bank; or
- a government or quasi-governmental body, such as a political subdivision or a government sponsored enterprise.
Additionally, note “third-party service provider“ means (1) “a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, or store non-public information, or otherwise is permitted access to non-public information through its provision of services to the licensee” or (2) “an insurance-support organization.” Licensees must also follow the Acts protocols if the cybersecurity event involves a third-party provider.
Chief Information Security Officer
Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy The Chief Information Security Officer (“CISO”) may be employed by the Covered Entity, one of its Affiliates or a Third Party Service Provider.
What is a Cybersecurity Event?
The Act centers around the occurrence of a “cybersecurity event,” which the Act defines as “an event resulting in unauthorized access to or a disruption or misuse of an information system or nonpublic information stored on the information system that has a reasonable likelihood of materially harming a consumer or any material part of the normal operations of the licensee.”
However, the term does not include the following:
(1) The unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization.
(2) An event in which a licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
Information Security Program
- Protect the security and confidentiality of non-public information and the information system
- Protect against any reasonably foreseeable threats or hazards to the security or integrity of non-public information and the information system
- Protect against unauthorized use or access to non-public information, and minimize the likelihood of harm to any consumer; and
- Define and periodically reevaluate a schedule for retention of non-public information and a mechanism for its destruction
Each licensee must comply with the eight requirements under subsection C of the Information Security Program section. Below is a focus on five of the requirements the Ardent Privacy solution helps with:
Identify and Mitigate Risk
- Design its information security program to mitigate the identified risks, commensurate with the size and complexity of the licensee; the nature and scope of the licensee’s activities, including its use of third-party service providers; and the sensitivity of the non-public information used by the licensee or in the licensee’s possession, custody, or control;
- Place access controls on information systems, including controls to authenticate and permit access only to authorized persons to protect against the unauthorized acquisition of non-public information;
- Develop, implement, and maintain procedures for the secure disposal of non-public information in any format;
Stay Informed on Emerging Risks and Secure Information Sharing
- Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; and
- Provide personnel with cybersecurity awareness training.
The Ardent Privacy solution helps identify data at risk and data in scope. It will also minimize the excess data and help meet various compliance requirements for the Insurance Data Security
Act. The process will:
- Reduce Financial Liability
- Offer protection from Data Breaches & Leakages
- Comply with various legal requirements
- Reduce Storage and Management Costs
- Reduces business liability in case of a cybersecurity event
- Reduce supply chain risk by eliminating excess data on the cloud and with third parties
- Increase Business Credibility
Requirements for Licensees:
Licensees must develop, implement, and maintain a comprehensive written information security program based on risk assessment. The written program must contain administrative, technical, and physical safeguards for the protection of non-public information and the licensee’s information system. The written program must correspond to the size and complexity of their business, the nature, and scope of the licensee’s activities, including working with third-party providers, and the use of sensitive non-public information or in possession, custody, or control by the licensee.
Protect: Licensees must protect the security and confidentiality of non-public information.
Prevent: Licensees must prevent the unauthorized access or compromise of non-public information.
Ensure: Licensees must properly retain and destroy non-public information.
Steps in Response to a Cybersecurity Event
A licensee must promptly investigate by answering the following questions:
- Did a cybersecurity event occur?
- What is the nature and scope of the cybersecurity event?
- Was any non-public information involved?
- What must licensees do to fix the security of their information systems to prevent future unauthorized acquisition, release, or use of non-public info?
Notice to Commissioner
Insurance companies must notify the commissioner as soon as possible, but not later than 3 business days, if a Cybersecurity Event occurs. The notice must include as much information as possible from the investigation. The Act requires notice if the event meets one of two conditions:
- Indiana is the licensee’s state of domicile, if the licensee is an insurer, or the licensee’s home state, if the licensee is a producer, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in Indiana or materially harming any material part of the normal operations of the licensee.
- The licensee reasonably believes that the nonpublic information of at least two hundred fifty consumers residing in Indiana was affected by the cybersecurity event and that the cybersecurity event is either of the following:
- A cybersecurity event impacting the licensee of which notice is required to be provided by any other state, federal, or local law.
- A cybersecurity event that has a reasonable likelihood of materially harming:
- a consumer residing in Indiana; or
- any material part of the normal operations of the licensee.
Additionally, Insurers must annually submit to the commissioner a written statement covering the prior calendar year by February 28.
Notice to Consumers
Barring certain exceptions, the Act requires insurers to give notice by mail, telephone, or electronic notice if an event occurred or it reasonably believes one has occurred. Notice should include
- A description of the incident
- The type of non-public information subject to the event
- The steps the licensee is taking to protect the non-public information from unauthorized access
- A phone number to call for information and assistance
- Advise consumers to remain alert by monitoring account statements and credit reports
The Act includes three exceptions for licensees:
- Licensees subject to HIPAA that submit certifications and are complying with HIPAA requirements are exempt as long as licensees commitment to protecting information not covered under HIPAA
- A Licensee that is an employee, agent, representative, or designee of another licensee is exempt if the parent licensee’s information security program covers the licensee
- A Licensee with an affiliation with a depository institution maintaining an information security program in compliance with the Interagency Guidelines under the Gramm-Leach-Bliley Act. The Act considers a Licensee to meet the requirements by providing the Commissioner correct documentation to validate the affiliated depository institution’s adoption of an information security program that satisfies the Interagency Guidelines.
Licensees must regularly review their cybersecurity implementations to ensure they are up to date. Insurers have 180 days from the effective date to comply, except otherwise specified. Additionally, prepare for any new changes or amendments. Licensees must go beyond data protection by implementing data minimization to reduce risk, liability, and monetary impact.
The crucial first step of data security compliance is knowing what data you have, then identifying sensitive data and information assets that require protection under the law. Ardent Privacy’s solution provides data risk assessments and automates mapping, identification, and inventory data assets. Ardent Privacy specializes in data minimization and secure disposal, eliminating excess data to reduce liability. Contact us for a free consultation!
Ardent Privacy articles should not be considered as legal or technical advice on Indiana’s insurance code or any specific facts or circumstances. This article is written to express the opinion of the writer and nothing else.