Information data security has been a hot topic for the insurance industry in recent years, particularly the development of information security programs (“ISPs”) by insurers, producers, and other insurance licensees. New York was the first state to adopt insurance data security requirements in 2017. Since then, 21 states, including Wisconsin, have adopted some form of insurance data security law, generally mirroring the National Association of Insurance Commissioners Insurance Data Security Model Law (the “Model Law”), which was also promulgated in 2017. Additionally, at least two other jurisdictions have insurance data security laws pending as of November 2022 (Pennsylvania and the District of Columbia).
One of the primary requirements of the New York regulations and the Model Law is that licensees (generally defined as all persons licensed or required to be licensed under the insurance laws of, and domiciled in, the particular state) must create and implement an ISP. Under the Model Law, ISPs are required to:
(1) Protect the security and confidentiality of Nonpublic Information and the security of the Information System;
(2) Protect against any threats or hazards to the security or integrity of Nonpublic Information and the Information System;
(3) Protect against unauthorized access to or use of Nonpublic Information, and minimize the likelihood of harm to any Consumer; and
(4) Define and periodically reevaluate a schedule for retention of Nonpublic Information and a mechanism for its destruction when no longer needed.
Model Law Section 4(B). Licensees must design their ISPs commensurate with the size, complexity, nature, and scope of the licensee’s insurance activities. Model Law Section 4(A).
Unique to New York, any person licensed under New York’s insurance law is required to certify annually that they comply with New York’s ISP requirements. 23 NYCRR 500.17(b). The Model Law, on the other hand, only requires that insurers certify ISP compliance with their domestic state insurance regulator. Under the Model Law, other licensees, such as producers, are not required to make any formal certification. Model Law Section 4(I).
Wisconsin recently enacted 2021 Wisconsin Act 73, which takes a middle-ground approach to ISP certification. Specifically, Wis. Stat. § 601.952(8) requires that any licensee domiciled in Wisconsin annually submit certification of ISP compliance by March 1 of each year. Wisconsin adopted the Model Law definition of licensees noted above, which includes any persons licensed or required to be licensed under Wisconsin’s insurance code that are domiciled in Wisconsin (including insurers, producers, etc.). Wis. Stat. § 601.95(7). Wisconsin is the first state other than New York to require non-insurer licensees to certify ISP compliance.