by Thomas Moran
All insurers doing business in Virginia should be aware of a new law going into effect on July 1, 2020. The Insurance Data Security Act, Va. Code §§ 38.2-621, et seq. (“Act”), imposes various monitoring, reporting and disclosure requirements relating to the personal information of insureds across the state.
This article summarizes the major points of the Act and the new requirements that will be imposed on insurers who do business with Virginians.
The Act is designed to protect what it refers to as “nonpublic information.” This term includes any information that is not publicly available and either (1) relates to the business operations of an insurer such that unauthorized disclosure or access would cause an adverse impact, (2) allows identification and correlation of a consumer’s name, number, or other identifier with that consumer’s social security number, driver’s license number, financial or credit card number, or (3) pertains to health or mental care (including payment records). It does not include age, gender, or any information that is available in public records or required disclosures.
Information Security Program
Every insurer doing business in Virginia will be required to maintain a written information security program (ISP). While the scope of the ISP will necessarily depend on the size and complexity of the insurer, the nature of its activities, and the sensitivity of the information it maintains, each ISP must provide for the following at a minimum:
- Protect the security and confidentiality of protected information;
- Protect against threats or hazards to the security or tampering of protected information;
- Protect against unauthorized access;
- Establish a schedule for retention of protected information and its destruction;
- Designate a person, affiliate, or third-party vendor responsible for the ISP;
- Mitigation of identified risks;
- Establish authentication controls;
- Restrict access in places where records are stored;
- Protect against fire, water and other disasters as well as technological failures;
- Secure disposal of protected information;
- Keep up to date on the latest threats and vulnerabilities;
- Cybersecurity awareness training for employees;
- Reporting to the board of directors;
- Regular monitoring, reevaluation and adjustment based on factors such as technological changes, emerging threats, and changes to the insurer’s business structure and arrangements;
- A written incident response plan designed to respond to and recover from any unauthorized access or other cybersecurity event (see Va. Code § 38.2-623(G) for the required elements of the response plan).
The Act’s scope is not limited to preventative measures. It imposes an investigation requirement with respect to any event that results in unauthorized access, disruption, or misuse of the insurer’s information system or protected information. At a minimum, the investigation must determine whether such an event occurred, assess the nature and scope of the event, identify the compromised information, and oversee reasonable measures to restore system security.
Disclosure to Commissioner and Notice to Consumers
If an insurer learns that information has been compromised, it is required to give notice to the Insurance Commissioner within three days if it is a Virginia corporation, or if 250 or more Virginia residents are affected by the event. The notice must include information such as timing, a description of how the information was compromised, recovery efforts, and law enforcement involvement. A full list of the disclosure requirements is at Va. Code § 38.2-525(B). The insurer must update and supplement the notice as information is learned over the course of the investigation.
The insurer must also provide notice of any compromised information directly to consumers if the information is reasonably likely to be the subject of identity theft or fraud to those consumers. This notice must be provided “without unreasonable delay” after determining or receiving notice that information has been compromised. The notice must (1) narrate the incident in general terms, (2) provide the type of protected information that was compromised, (3) describe what the insurer is doing to protect from future unauthorized access, (4) give a telephone number for the consumer to call for information and assistance, and (5) advise the consumer to review account statements and monitor credit reports. The insurer must mail the notice, unless the cost of doing so exceeds $50,000 or over 100,000 consumers are affected, in which case electronic notice is acceptable.
Additionally, if notice is provided to more than 1,000 consumers, the insurer must provide a copy of the notice to national credit reporting agencies.
Use of Third-Party Service Providers
Many insurers will choose to outsource the creation and implementation of the ISP to a third-party vendor. On July 1, 2022, additional requirements will be phased in for insurers choosing this option. Insurers will be required to exercise “due diligence” in selecting the vendor, and the insurer retains the responsibility to oversee the vendor to ensure that it implements administrative, technical and physical measures to keep protected information secure.
Certification and Record Retention for Virginia-based insurers
On January 1, 2023, each insurer domiciled in Virginia will be required to certify its compliance with the Act to the Insurance Commissioner. All ISPs, investigation reports, and related documents must be retained for five years.
Insurance Commissioner Oversight and Confidentiality
The Insurance Commissioner has the power to examine and investigate the insurer to ensure compliance with the Act, and to take any action necessary to enforce its provisions. Forthcoming rules and regulations will likely add further duties and requirements.
Similarly to investigations involving insurance fraud, the information and documents uncovered by the Insurance Commissioner during an investigation into an insurer’s response to a compromise of protected information are protected from civil discovery and subpoenas. However, the Commissioner may use such documents and information in the furtherance of any regulatory or legal action, and share and receive documents from regulatory and law-enforcement authorities.
The Act does not apply to:
- Insurers already subject to and compliant with HIPAA or depository institution information security requirements; or
- Independently licensed employees, agents, representatives, or designees of an insurer, if they are covered by the insurer’s ISP, investigation and notification obligations.
With cyber-attacks, ransomware, and other nefarious technological threats menacing insurers and their customers, responsible cybersecurity practices are now not only good business sense; they’re the law. If you have questions regarding the Act and how to ensure compliance, please contact Tom Moran at (804) 362-9434 or firstname.lastname@example.org.