Kentucky has become the 21st state to adopt a data security law that will require insurers and larger agencies to beef up measures designed to help prevent cyber attacks and data breaches.
Gov. Andy Beshear in April signed House Bill 474, which was based on the National Association of Insurance Commissioners’ model data security law. People and organizations licensed under the Kentucky insurance laws who have more than 50 employees, have until Jan. 1, 2024 to comply, according to the law and recent news reports.
The steps that licensees must take include developing a written cybersecurity program; investigating and reporting cyber events within three days to the state insurance commissioner; conducting risk assessments; and designating a person in the company to be responsible for information security.
The NAIC has said the model law was in the works for some time.
“In recent years, there have been several major data breaches involving large insurers that have exposed and compromised the sensitive personal information of millions of insurance consumers,” reads a legislative brief by the NAIC. “As a result, state insurance regulators made reevaluation of the regulations around cybersecurity and consumer data protection a top priority, and in early 2016 the NAIC began drafting the Insurance Data Security Model Law.”
Among other steps, Kentucky’s law requires insurers to “identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers,” the law reads.
Companies must also put controls on information to limit access only to authorized people, along with many other measures.
The NAIC model law would have exempted only those companies with fewer than 10 employees, but Kentucky lawmakers upped that to 50 workers. The law also will not apply to purchasing groups or risk retention groups chartered and licensed outside of Kentucky, as well as companies that act as assuming insurers and are domiciled in other states.
Other states that have adopted similar laws include: Alabama, North Dakota, Minnesota, Iowa, Wisconsin, Michigan, Indiana, Ohio, Tennessee, Virginia, Maryland, Washington D.C., South Carolina, Louisiana, Mississippi, Delaware, Connecticut, New Hampshire, Maine, and Hawaii. Bills are pending in Illinois, Vermont, Rhode Island, and Washington. New York has its own data privacy requirements, NAIC explained.
Interested in Carriers?
Get automatic alerts for this topic.