It’s the phrase that no business owner wants to hear, We’ve had a data breach. Even a suspected hack usually triggers an adrenaline-fueled response. Your response team swings into action to investigate and, hopefully, mitigate the damage. Once you determine that a reportable cyber event has occurred, the next step is making the appropriate notifications.
Insurance Commissioner Notifications
First, let’s talk about notifications to the insurance commissioners’ office. I say commissioners – plural – because multiple notifications may be required if your company or agency does business in more than one state.
Generally, you must notify regulators if:
- The jurisdiction is the domicile state of an insurer or the resident state of a producer
- The event involves non-public information of 250+ consumers residing in the state
There are two other factors, however, that make things a little more complicated. Many states include a “material harm” clause in their notification requirement. This requires notification if the event meets one of the conditions above AND “has a reasonable likelihood of materially harming a consumer or a material part of the normal operation(s) of the covered entity.” Many DOIs also have an “other notice” standard that requires that they be notified if any other government, regulatory, or supervisory body is.
Once you’ve determined that you need to file a notification, it’s a question of how and how quickly you need to do so. Most states that base their regulation on the NAIC’s Model Law require notification within 3 business days of breach detection. Depending on the state, however, the deadline can be anything from 72 hours to 10 business days. Notifications are typically made electronically, using an online form or portal. The exact information varies slightly from state to state but generally includes a detailed description of the event, how it was discovered and addressed, and what information was compromised. You also need to share your protocol for identifying and notifying consumers impacted by the event.
It won’t always be possible to provide all this information, especially if investigations are still ongoing. Include the known facts in the initial report. Then, file supplemental reports as more information becomes available.
As important as it is to meet your regulatory obligations, it’s even more important to handle consumer notifications properly. Being the target of a successful cyber event can cause great reputational harm. How you handle the notification process can go a long way to restoring consumer confidence in your company.
All U.S. jurisdictions have laws governing these data breach notifications. The deadlines for making such notifications and the information that they must contain can vary greatly. Typically, however, the consumer notice should contain:
- A general description of the cyber event
- A description of the type of personal information compromised
- A summary of actions taken to protect the consumer’s personal data from further security breaches
- Contact information to obtain additional information or assistance
- A reminder to be alert for identity theft or similar fraud
For information about the requirements and procedures in a particular jurisdiction, consult qualified legal counsel or contact the state’s Attorney General’s Office for assistance. If the compromised data falls under HIPAA or other legislation, additional requirements may apply. Some states do make provision for “substitute notice” in the event of breaches that involve very large numbers of consumers, where the costs to notify each affected person or entity individually would be prohibitive.
The NAIC Model Law also addresses three special situations that require notifications. The first is when a cybersecurity event occurs on a system maintained by one of your third-party service providers. In this case, the clock for YOU to notify regulators and consumers begins ticking as soon as the vendor reports the issue to you or you discover it. And if you’re a third-party vendor for another entity (for example, an MGA, TPA, or adjuster firm), your contract may include even more stringent reporting requirements. The state regulation does NOT override any contractual obligations.
The second situation involves reinsurance. If a cyber event occurs on a system maintained by the assuming insurer or on a system maintained by a third-party service provider of that insurer, they are required to notify the affected ceding insurer(s) and the insurance commissioner of its domicile state that an event has occurred. Because the reinsurer does not have a direct contractual relationship with the consumers (i.e. policyholders), it does not have an obligation to notify them of the event. This responsibility lies with the ceding insurer(s). They must meet all relevant notification responsibilities imposed by the state’s cybersecurity regulation.
The final “special situation” involves producers of record. If policyholders secure coverage with an insurer through a producer/agent of record and there is a cyber event on a system maintained by the insurer or on a system maintained by a third-party service provider of that insurer, the insurer must notify the producer/agent of record for any affected consumers as soon as practicable as directed by the insurance commissioner.
The topics we’ve covered in this series aren’t the “sexy” part of cybersecurity compliance. No one is going to make an action thriller where the protagonist saves the day by the timely completion of an after-action report. (Although if it makes you feel any better most on-screen depictions of cyber defense are pretty misleading anyway.) But that doesn’t mean they aren’t important. In fact, it’s these day-after-day, year-after-year tasks that enable you to do a lot of other routine tasks — like serving your customers, paying your employees, keeping the lights on … well, you get the point.
This is the last in a series of articles discussing some of the most commonly overlooked aspects of security architecture and cybersecurity compliance. Other articles address email security, employee training and awareness, automated update and software patches, and documentation.