Kentucky and Maryland recently continued the trend of state insurance departments adopting a version of the National Association of Insurance Commissioners’ (“NAIC”) model insurance data security law. Kentucky Governor Andy Beshear signed House Bill 474 into law, and Maryland Governor Larry Hogan signed SB 207.
Like the Model Law on which both are based, the laws require licensees in their states to maintain, among other things, a comprehensive written information security program, perform a risk assessment to determine s It is appropriate to implement certain technical safeguards such as multi-factor authentication and encryption, develop an incident response plan, and require third-party service providers to implement security measures.
The laws also require that certain cybersecurity events be notified to the appropriate state insurance commissioners within three business days of determining that a cybersecurity event has occurred. “Cyber Security Event” is defined as an “event resulting in unauthorized access to, disruption of, or misuse of an information system or information stored on that information system.” Notification requirements vary slightly; but, generally, notification is required for a cybersecurity event if:
- state is the state of domicile or home state of the licensee or
- the licensee believes that the nonpublic information involves 250 or more consumers and that (a) notice is required from any government agency or other oversight body or (b) the cybersecurity event has a reasonable probability of causing material harm (i) to any consumer residing in the State or (ii) any material part of Licensee’s normal operation.
The new Kentucky law takes effect on January 1, 2023. Licensees will have one year from its effective date to implement many of its provisions, and two years from that date to implement implement a comprehensive information security program.
The new Maryland law takes effect October 1, 2022, with certain grace periods for licensees to comply with the law’s written information security program requirements (by October 1, 2023) and to implement the required oversight of service providers (by October 1, 2024).