Effective July 1, Virginia’s Insurance Data Security Act (the “Act”) requires all regulated insurance companies licensed in Virginia to follow new data security and notification requirements. This article summarizes Virginia’s adaptation of the NAIC Insurance Data Security Model Law.
- Maintain the security of information systems and non-public information
- Promptly Investigate cybersecurity events
- Notify Individuals of cybersecurity events
- Notify the Commissioner of Insurance of actual or potential cybersecurity events
What is Non-Public Information?
The Act requires licensees to protect non-public information, including certain business-related information, any personal information such as Social Security Numbers, identification numbers, or biometric data, or any consumer healthcare information on treatments, conditions, or payments. Now is the time to review the collection of non-public data, reduce unnecessary data collection, and delete the rest, minimizing risk in the case of a breach.
Who is a Licensee?
Generally, a licensee is an individual or a company that holds an insurance license from the state licensing agency.
The Act defines a “licensee” as “any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the Commonwealth.” A licensee “does not include a purchasing group or a risk retention group chartered and licensed in a state other than the Commonwealth or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.”
It is essential to know the Act defines a “person“ as “any individual or any non-governmental entity, including any non-governmental partnership, corporation, branch, agency, or association.”
Additionally, note “third-party service provider“ means (1) “a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, or store non-public information, or otherwise is permitted access to non-public information through its provision of services to the licensee” or (2) “an insurance-support organization.” Licensees must also follow the Acts protocols if the cybersecurity event involves a third-party provider.
What is a Cybersecurity Event?
The Act centers around the occurrence of a “cybersecurity event,” which the Act defines as “an event resulting in unauthorized access to, disruption of, or misuse of an information system or non-public information in the possession, custody, or control of a licensee or an authorized person.”
Information Security Program
- Protect the security and confidentiality of non-public information and the information system
- Protect against any reasonably foreseeable threats or hazards to the security or integrity of non-public information and the information system
- Protect against unauthorized use or access to non-public information, and minimize the likelihood of harm to any consumer; and
- Define and periodically reevaluate a schedule for retention of non-public information and a mechanism for its destruction
Each licensee must comply with the eight requirements under subsection C of the Information Security Program section. Below is a focus on five of the requirements the Ardent Privacy solution helps with:
Identify and Mitigate Risk
2. Design its information security program to mitigate the identified risks, commensurate with the size and complexity of the licensee; the nature and scope of the licensee’s activities, including its use of third-party service providers; and the sensitivity of the non-public information used by the licensee or in the licensee’s possession, custody, or control;
3. Place access controls on information systems, including controls to authenticate and permit access only to authorized persons to protect against the unauthorized acquisition of non-public information;
6. Develop, implement, and maintain procedures for the secure disposal of non-public information in any format;
Stay Informed on Emerging Risks and Secure Information Sharing
7. Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; and
8. Provide personnel with cybersecurity awareness training.
The Ardent Privacy solution helps identify data at risk and data in scope. It will also minimize the excess data and help meet various compliance requirements for the Insurance Data Security Act. The process will:
- Reduce Financial Liability
- Offer protection from Data Breaches & Leakages
- Comply with various legal requirements
- Reduce Storage and Management Costs
- Reduces business liability in case of a cybersecurity event
- Reduce supply chain risk by eliminating excess data on the cloud and with third parties
- Increase Business Credibility
Requirements for Licensees:
Licensees must develop, implement, and maintain a comprehensive written information security program based on risk assessment. The written program must contain administrative, technical, and physical safeguards for the protection of non-public information and the licensee’s information system. The written program must correspond to the size and complexity of their business, the nature, and scope of the licensee’s activities, including working with third-party providers, and the use of sensitive non-public information or in possession, custody, or control by the licensee.
Protect: Licensees must protect the security and confidentiality of non-public information.
Prevent: Licensees must prevent the unauthorized access or compromise of non-public information.
Ensure: Licensees must properly retain and destroy non-public information.
Steps in Response to a Cybersecurity Event
A licensee must promptly investigate by answering the following questions:
- Did a cybersecurity event occur?
- What is the nature and scope of the cybersecurity event?
- Was any non-public information involved?
- What must licensees do to fix the security of their information systems to prevent future unauthorized acquisition, release, or use of non-public info?
Notice to Commissioner
Insurance companies must notify the Commissioner as soon as possible if a cybersecurity event occurs. The notice must include as much information as possible from the investigation. The Act requires notice if the event meets one of two conditions:
- The licensee is a domestic insurance company, or in the case of a producer, Virginia is the licensee’s home state; and the cybersecurity event meets the threshold and other requirements prescribed by the Commission; or
- The licensee reasonably believes that the non-public information involved is of 250 or more Virginia Residents, or the licensee is required under federal law or the laws of another state to provide notice of the event to any government agency, self-regulator, or other supervisory body
Notice to Consumers
Barring certain exceptions, the Act requires insurers to give notice by mail, telephone, or electronic notice if an event occurred or it reasonably believes one has occurred. Notice should include
- A description of the incident
- The type of non-public information subject to the event
- The steps the licensee is taking to protect the non-public information from unauthorized access
- A phone number to call for information and assistance
- Advise consumers to remain alert by monitoring account statements and credit reports
The Act includes three exceptions for licensees:
- Licensees subject to HIPAA that submit certifications and are complying with HIPAA requirements are exempt as long as licensees commitment to protecting information not covered under HIPAA
- A Licensee that is an employee, agent, representative, or designee of another licensee is exempt if the parent licensee’s information security program covers the licensee
- A Licensee with an affiliation with a depository institution maintaining an information security program in compliance with the Interagency Guidelines under the Gramm-Leach-Bliley Act. The Act considers a Licensee to meet the requirements by providing the Commissioner correct documentation to validate the affiliated depository institution’s adoption of an information security program that satisfies the Interagency Guidelines.
Licensees must review their cybersecurity implementations to ensure they are up to date on compliance. Additionally, prepare for any new changes or amendments. Licensees must go beyond data protection by implementing data minimization to reduce risk, liability, and monetary impact.
The crucial first step of data security compliance is knowing what data you have, then identifying sensitive data and information assets that require protection under the law. Ardent Privacy’s solution provides data risk assessments and automates mapping, identification, and inventory data assets. Ardent Privacy specializes in data minimization and secure disposal, eliminating excess data to reduce liability.
Ardent Privacy articles should not be considered as legal or technical advice on the Insurance Data Security Act, or any specific facts or circumstances. This article is written to express the opinion of the writer and nothing else.