On March 20, Ohio became the third state to enact insurance-specific legislation pertaining to data security. Fortunately, many of OIA’s members will not be required to comply with several elements of the legislation, and those agencies that will, will have ample time to do so as there are staggered implementation dates. The only portion of the cyber bill that took effect on March 20 involves steps that need to be taken in the event that an agency believes they may have had a cybersecurity event occur that involves nonpublic information either in their system or in a system maintained by a third-party vendor.
Prior to Ohio, South Carolina adopted a cyber security model law for the insurance industry, similar to the Insurance Data Security Model Law approved by the National Association of Insurance Commissioners (NAIC) in late 2017. The state of New York moved even quicker, establishing cybersecurity regulations that became effective in March 2017.
The adoption of a cyber law in Ohio did not come as a surprise, as discussions had been taking place between the carriers, OIA and ODI for several months as a result of this issue being addressed in other states.
WHAT THIS MEANS TO YOU
OIA was able to make several improvements to Ohio’s cyber bill for agents, beyond what exists in the national model legislation and cyber bills that have passed in other states.
Notably, the majority of Ohio agencies will have a large burden alleviated, as they will be exempt from a requirement to develop a comprehensive written cyber plan and exercise due diligence in selecting third-party service providers.
This is a big win, as the NAIC Data Security Model Law sets the exemption at agencies with fewer than ten employees, including independent contractors.
Additionally, Ohio’s cyber law has language added that states that the superintendent of insurance shall consider the nature, scale, and complexity of licensees (i.e. insurers and agencies) in administering the cyber law and adopting any rules necessary to implement the law. In other words, the ability of agencies to comply with the complexity of the law needs to be taken into consideration and any further rules developed should be “right-sized.”
BELOW ARE THE HIGHLIGHTS OF THE CYBER REQUIREMENTS INCLUDED IN SENATE BILL 273 THAT IMPACT AGENCIES:
INVESTIGATION AND BREACH REQUIREMENTS
All agencies, regardless of size, will be required to comply with requirements to conduct a prompt investigation should they learn that a cybersecurity event that involves nonpublic information has or may have occurred either in their system or that of a third party vendor. In addition, in certain instances, notification of a breach may be required to the Ohio Department of Insurance within three business days. These provisions of the bill took effect March 20, 2019. The Ohio Department of Insurance is working to implement the new cybersecurity law, including drafting rules and developing guidance on the various requirements of the law. Until ODI adopts rules or develops a procedure to report cybersecurity events, OIA suggests contacting us immediately if you think you may have had a cybersecurity event so that we can help you understand any obligations you may have to report the event to ODI or to consumers. We also suggest referring to our article What You Must Do If You Experience A Data Breach as this contains helpful information about notifying ODI and also impacted consumers.
WRITTEN CYBER PLAN AND THIRD-PARTY SERVICE PROVIDER DUE DILIGENCE REQUIREMENTS
Agencies are exempt from the requirement to develop and maintain a comprehensive written cybersecurity plan and exercise due diligence requirements over third-party service providers if they meet any of the following criteria:
(1) Have fewer than twenty employees.
(2) Have less than five million dollars in gross annual revenue.
(3) Have less than ten million dollars in assets, measured at the end of the agency’s fiscal year.
Agencies not exempt from these requirements have plenty of time to get ready to comply, as the requirements for a written cybersecurity plan are delayed for one year following the effective date of the bill (March 20, 2020), and the due diligence requirements for third- party service providers have a two-year delay (March 20, 2021).
WITH THE STAGGERED EFFECTIVE DATES FOR THE VARIOUS REQUIREMENTS OF THE BILL, THE INVESTIGATION AND BREACH NOTIFICATION REQUIREMENTS ARE THE ONLY PORTION OF THE CYBERSECURITY REQUIREMENTS THAT BECAME EFFECTIVE MARCH 20, 2019.
WHAT YOU NEED TO DO RIGHT NOW
At this time, there is nothing you need to do (that is unless you think you may have had a data breach). Stay tuned — OIA will continue to keep you informed on these new cyber requirements as more information becomes available and rule development gets underway to help carry out certain provisions of the bill.
NEED CYBER INSURANCE?
We can help! Click below to learn more about OIA's cyber coverage options!