Ohio insurers are the latest industry to face new regulatory obligations pertaining to cybersecurity. While many businesses may sigh in relief that it is not their industry getting hit with additional compliance burdens, now is the perfect time to evaluate your own cybersecurity program before the spotlight turns to your industry. In addition to Ohio's new insurer cybersecurity law, recent cybersecurity developments in a wide range of industries include a new HIPAA-related cyber framework, updates to the Payment Card Industry Data Security Standard (PCI-DSS) impacting the retail industry, FINRA regulations in the financial services sector, and continued developments in GDPR implementation and enforcement. This wave of attention to cybersecurity provides an abundance of guidance from which you can develop your company's own program.
On December 18, 2018, then-Governor John Kasich signed Substitute Senate Bill No. 273 into law. This bill created new Ohio Revised Code sections (R.C. 3965.01 - R.C. 3965.11) obligating Ohio-licensed insurance companies to develop, implement, and maintain a comprehensive written "information security program" based on an individualized risk assessment. Each insurer's program must describe the safeguards it uses to handle, protect, and store "nonpublic information;" that is, business and personal information that would harm the insurer or expose personal and sensitive consumer information such as health, financial, or identifying information if disclosed.
Under this new law an Ohio-licensed insurer must conduct an individualized risk assessment to ensure that its information security program is appropriate for its size and complexity, the nature and scope of its business activities, and the risks relevant to its nonpublic information. This risk assessment must:
- Identify reasonably foreseeable internal and external threats that could result in unauthorized access, transmission, disclosure, misuse, or loss of nonpublic information;
- Assess the likelihood and potential damage of such identified threats;
- Assess the sufficiency of the safeguards to manage the identified threats; and
- Annually assess the effectiveness of the safeguards' key systems, controls and procedures.
After an insurer completes the risk assessment, it must update its information security program to:
- Mitigate the identified threats and risks to nonpublic information;
- Determine the appropriate security measures to implement;
- Include cybersecurity risks in their enterprise risk management system;
- Stay informed and current on threats and vulnerabilities to their information security program as such threats emerge; and
- Provide personnel with training on cybersecurity and update such training as necessary to reflect the identified risks.
Insurers must also submit a written statement to the Superintendent of Insurance certifying the compliance of their information security program.
The law further requires insurers to verify their third-party service providers have appropriate cybersecurity safeguards and establish a written Incident Response Plan as part of the information security program. The law contains guidance on developing an Incident Response Plan, including detecting and responding to cybersecurity incidents, assessing the nature and scope of the event, identifying the nonpublic information involved, and taking reasonable measurers to restore the security and prevent release of information. If an incident occurs, insurers must provide notice to the Superintendent of Insurance no later than three days after it is detected.
Importantly, insurers that are subject to the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") are deemed to have met the statute's requirements. However, insurers must submit certification of their HIPAA compliance to the Superintendent of Insurance and are obligated to provide notice to the Superintendent when a cybersecurity event occurs.
While the statute imposes extensive compliance requirements on Ohio insurers, it does come with one significant sweetener: insurers who satisfy the statute's requirements will benefit from the Ohio Data Protection Act's affirmative defense
to certain tort actions that allege that a data breach resulted from a company's failure to implement reasonable information security controls.
As with any cybersecurity framework, there is no one-size-fits-all approach. However, the new requirements for Ohio insurers may prove useful to businesses in other industries in determining what programs, policies, and protections will work best for them. In a rapidly-changing legal and regulatory environment, knowing what other industries are doing today may help your business prepare for the next set of data and cybersecurity requirements with direct application to your own business.