Ohio recently followed South Carolina as the second state to adopt cybersecurity legislation modeled after the NAIC’s Insurance Data Security Model Law. The Ohio law, Senate Bill 273, applies to insurers authorized to do business in Ohio and goes into effect today, March 20, 2019 (the first day of Spring). Companies have, under the law, a year to put the security measures into place. The law, like the NAIC model, requires insurance providers to take several steps to protect personal information, including conducting risk assessments and having a written information security program and incident response plan. Smaller insurers -those with less than 20 employees, less than $5 million in gross annual revenue, and less than $10 million in assets- are exempt from the security program requirements. HIPAA-compliant companies are also exempt from the program requirements. The law impacts how companies select third-party service providers, and requires certification of compliance annually.

The law also contains provisions that relate to data breaches, namely that companies conduct an investigation in the event of a “cybersecurity event,” defined as attempted access into an information system or to nonpublic information stored on an information system. Exempted out of an event is if the nonpublic information was not “used,” “released,” or was “returned or destroyed.” Companies must notify the state insurance regulator at least three days after determining a cybersecurity event happened. Ohio’s general data breach notification requirements must also be followed. The Insurance law also includes the same safe harbor provisions as the general breach law, which we wrote about last year.

Putting it Into Practice: We anticipate more states will follow Ohio and South Carolina, putting into place specific data security requirements for insurance providers, as well as provisions about how to handle “cybersecurity events.”