Cybersecurity bill helps protect your agency
Gov. Kasich has signed Senate Bill 220 (S.B. 220) to create a legal safe harbor for businesses that experience a data breach provided they have voluntarily implemented a cybersecurity program that meets certain requirements.
S.B. 220 does not bar a lawsuit but provides the opportunity for a business to provide evidence that reasonable policies and protections were in place to prevent the breach and, essentially, provides guidance as to what is reasonable.
Judges and juries would still decide, depending on the unique facts and evidence of a case, whether the business meets its burden to raise the affirmative defense provided under the act.
Cybersecurity program requirements
The act requires a business’ cybersecurity program to be designed to do all of the following with respect to the information it is meant to protect:
Protect the security and confidentiality of the information;
Protect against any anticipated threats or hazards to the security or integrity of the information;
Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
The scale and scope of a business’ cybersecurity program is considered appropriate if it is based on all of the following factors:
The entity's size and complexity;
The nature and scope of the entity's activities;
The sensitivity of the information to be protected;
The cost and availability of tools to improve information security and reduce vulnerabilities;
The resources available to the entity.
Approved cybersecurity frameworks
Under the act, a business’ cybersecurity program also must reasonably conform to an industry recognized cybersecurity framework.
For insurance agencies, the recognized frameworks listed in the act that are most pertinent because they are likely already being followed are the security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Title V of the federal Gramm-Leach-Bliley Act (GLBA) of 1999.
Ultimately, S.B. 220 is intended to be an incentive to encourage businesses to achieve a higher level of cybersecurity through voluntary action. This legislation is not only a benefit to you, but also to your commercial clients that proactively ensure they are protecting their data by complying with the requirements of the act.
S.B. 220 takes effect Nov. 2, 2018.
So, just what are the requirements in Title V of the "Gramm-Leach-Bliley Act of 1999," Public Law 106-102, as amended?
This answer can be found in a very comprehensive memo from the Independent Agents and Brokers of America, Inc. (IIABA) that outlines the privacy provisions of the GLBA and their impact on insurance agents and brokers. Specifically, Section VI of this memo found on pages 11-13 outlines the data security and integrity requirements.
Agents are already supposed to be following these federal requirements, however, as a result of S.B. 220, agents can now receive a legal safe harbor in Ohio for doing so since this is a specified industry recognized data security framework that is acceptable in conjunction with the implementation of a cybersecurity program.
Not sure if you are following the data security requirements of the GLBA? IIABA and the Agents Council for Technology have come to the rescue!
They have created a sample written cybersecurity policy as a tool to assist agencies in creating a policy appropriate and customized for their agency.
In creating this policy, they worked from requirements set forth by several acts, including the New York Regulation 23 NYCRR 500, and Gramm-Leach-Bliley, because these regulations impose some of the most specific and demanding requirements.
What does this mean for you? You can customize this written policy for your agency and since it complies with the GLBA standards, it meets the requirements of Ohio’s S.B. 220 to qualify your agency for a legal safe harbor.
I can’t talk about the requirements of the GLBA without also mentioning privacy notices.
In Ohio, we have a rather confusing situation with privacy notices since there is a distinction between the federal requirements set forth by the GLBA and some Ohio laws that also address the issue.
But, the bottom line is this: P&C agents should follow the GLBA requirements, but agents who sell life, health or disability coverage have requirements for insurance information practices, including privacy notices, that they must adhere to in Ohio Revised Code Chapter 3904.
So, what are the GLBA requirements for privacy notices that P&C agents should be following? Rather than reinvent the wheel, let’s go back to IIABA’s very comprehensive memo.
While agents can benefit from a refresher on the requirements in the GLBA and should read the entire memo, Section III found on pages 3-7, specifically discusses the privacy notice requirements.
Note that the GLBA no longer requires agencies to provide annual notices if they:
Share NPI with non-affiliated third parties only pursuant to the established exemptions from which consumers cannot opt out (see Section IV.D. of the memo); and
Have not changed their disclosure policies and practices since their most recent consumer privacy notice. The amendments do not affect any initial notice requirements.
This exception does not apply to agencies that share NPI beyond the established exemptions, even if the agency has not changed its disclosure and practices.
Moreover, agencies that use this exception still have to provide consumers with any revised privacy notices, even if the agency narrows the circumstances in which it discloses NPI to non-affiliated third parties.
The Privacy Provisions of the Gramm-Leach-Bliley Act and Their Impact on Insurance Agents & Brokers
Additional Cyber Resources:
Agency Cyber Guide 1.0: Tools for compliance and protection in today’s world of data breach and cybercrime (Agents Council for Technology, ACT)
What you must do if you experience a data breach — Feb. 22, 2018
NOTICE: The Ohio Insurance Agents Association, Inc. (OIA) provides this information with the express understanding that 1) no attorney-client relationship exists, 2) neither OIA nor its attorneys are engaged in providing legal advice and 3) that the information is of a general character. You should not rely on this information when dealing with personal or professional legal matters; rather, seek legal advice from retained legal counsel.