On March 11th, 2020, Virginia Governor Northam signed the Insurance Data Security Act (the “Act”) — HB 1334 — imposing requirements on all entities regulated by the Virginia Bureau of Insurance (“BOI” or the “Bureau”) to:
- maintain an information security program,
- investigate all cybersecurity events,
- notify the Commissioner of Insurance of cybersecurity events, and
- notify consumers affected by cybersecurity events.
The Act is effective on July 1, 2020 but there are several components with phased-in compliance deadlines. The State Corporation Commission, which houses the Bureau, is also required to adopt regulations to implement the law.
The Act makes Virginia the latest state to adopt the National Association of Insurance Commissioners (“NAIC”) Insurance Data Security Model Law, even though there are some differences between the Act and the NAIC’s Model Law.
Reporting Change. Along with creating the new requirements detailed below, the Act sets forth the “exclusive state standards” for data security, security of nonpublic information, investigation of cybersecurity events, and reporting requirements for cybersecurity events for BOI-regulated entities. This includes a change in reporting of cybersecurity events from the Office of the Attorney General to the Commissioner of Insurance for BOI-regulated entities.
Licensees. The Act applies to “licensees.” The term is defined as “any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the Commonwealth.” “Licensee” does not include a purchasing group or risk retention group chartered or licensed in another state or a person acting as an assuming insurer that is domiciled in another state.
Information Security Program. Each licensee is required to “develop, implement, and maintain a comprehensive written information security program.” The Act spells out the requirements of the program, including:
- that the program is to be commensurate with the size and complexity of the licensee,
- a mandate for cybersecurity training,
- due diligence of third-party service providers (starting July 1, 2022), and
- submission of a written certification of compliance with the information security program requirements (starting February 15, 2023)
Additional guidance is likely to come in forthcoming Commission regulations.
Duty to Investigate. The Act requires licensees that learn a cybersecurity event has or may have occurred, to conduct a “prompt investigation” to:
- determine whether a cybersecurity event has occurred,
- assess the nature and scope of the cybersecurity event,
- identify any nonpublic information that may have been involved in the cybersecurity event, and
- implement reasonable measures to restore the security of the information systems compromised in the cybersecurity.
A “cybersecurity event” is defined as “an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information in the possession, custody, or control of a licensee or an authorized person.” A “cybersecurity event” excludes acquisition of encrypted information, as long as the key is also not acquired, and any event where the licensee has determined that the nonpublic information accessed has not been used or released and has been returned or destroyed.
Commissioner Notice. If a licensee has determined that a cybersecurity event has actually occurred, it must notify the Commissioner of Insurance “as promptly as possible but in no event later than three business days from such determination.” Notice is required if:
(1) the licensee is a domestic insurance company or a producer with Virginia as its home state, or
(2) the licensee reasonably believes that the nonpublic information involved is of 250 or more consumers residing in the Commonwealth, or notice is required by federal, other state regulator, or self-regulatory or supervisory body
The Act requires that notice to the Commissioner be provided in electronic form and spells out the content of the notice.
Consumer Notice. A licensee that maintains “consumers’ nonpublic information shall notify the consumer of any cybersecurity event without unreasonable delay after making a determination or receiving notice that a cybersecurity event has occurred.” The licensee’s consumer notice obligation is triggered only if “consumers’ nonpublic information was accessed and acquired by an unauthorized person or such licensee reasonably believes consumers’ nonpublic information was accessed and acquired by an unauthorized person and the cybersecurity event has a reasonable likelihood of causing or has caused identity theft or other fraud to such consumers.”
Such notice shall include a description of the following:
- The incident in general terms;
- The type of nonpublic information that was subject to the unauthorized access and acquisition;
- The general acts of the licensee to protect the consumer’s nonpublic information from further unauthorized access;
- A telephone number that the consumer may call for further information and assistance, if one exists; and
- Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring the consumer’s credit reports.
The Act provides that consumer notice may be delayed if, after notification of a law enforcement agency, the law enforcement agency determines and advises that the notice will impede a criminal or civil investigation or jeopardize national or homeland security. The Act also states that a licensee must treat cybersecurity events of its third-party service providers as its own cybersecurity event, unless the third-party service provider provides the required customer notice.
Exceptions. The Act carves out exceptions from its various requirements for certain classes of licensees:
- Those subject to and compliant with HIPAA are considered in compliance with the information security program requirements and customer notification requirements;
- Those affiliated with a depository institution maintaining an information security program in compliance with GLBA are considered in compliance with the information security program requirements; and
- Those that are employees, agents, representatives, or designees of another licensee are exempt from the Act’s requirements if covered by information security program, investigation, and notification obligations of the other licensee.
Impact. While the Act may not change much beyond the regulator receiving notice of a cybersecurity incident for sophisticated licensees who are already in compliance with the New York Department of Financial Services Cybersecurity Regulation, which is not a safe harbor under the Act, the Act imposes significant requirements on licensees regardless of size. All licensees should assess their data security program for compliance with the Act before the July 1, 2020 effective date and stay tuned for more guidance expected in the upcoming regulations.