On March 1, 2017 the cybersecurity regulation of the New York Department of Financial Services (the DFS Regulation) took effect, requiring subject financial institutions (Covered Entities), including insurance companies, to, among other things, adopt written information security programs to address the protection of nonpublic information and information systems. See 23 NYCRR Part 500. The National Association of Insurance Commissioners (NAIC), which had separately been preparing a model cybersecurity law, adopted a model law that closely resembled the DFS Regulation1. A version of the NAIC model law was first enacted in South Carolina, with Ohio, Michigan, and Mississippi following suit2. A similar bill in Alabama passed both chambers of the state legislature,3 and additional bills are pending in Connecticut, New Hampshire, and Nevada.4 However, none of the laws as enacted were exactly the same as each other, and none precisely followed the NAIC model.
So what’s going on?
In concept, the laws are substantially similar. Each requires Covered Entities to adopt cybersecurity programs and policies to protect information systems and nonpublic information. Further, they require each Covered Entity to perform a risk assessment and base its programs and policies thereon, to develop an incident response plan, and to investigate and report data breaches to regulatory authorities in their respective states. Finally, the laws provide for some limited exemptions from having to comply with their requirements based on compliance with, for example, the Health Insurance Portability and Accountability Act (HIPAA), or based on the size of the licensee.
Each law differs in some respects. For example, the DFS Regulation and NAIC model law differ as to their definitions of what constitutes a cybersecurity event and what triggers a cybersecurity event notification requirement. Ohio adopted a cybersecurity event definition based on, but slightly different from, the NAIC model law. Further, the laws differ as to their deadlines for providing notification of cybersecurity events. The DFS Regulation and the NAIC model law both require notification within 72 hours. Michigan requires notification within 10 days, and Ohio and Mississippi require notification “as promptly as possible,” but no later than three business days. The laws also differ with respect to the nature and scope of exemptions and particular requirements for written policies. Covered Entities should be attuned to these differences when developing compliance programs. Click HERE for a summary of some of these differences.
Sign up for our newsletter and get the latest to your inbox.