Driven To Succeed
At Sulloway & Hollis, P.L.L.C. (“Sulloway & Hollis”), we are committed to the success of our clients. This commitment has been at the core of our practice for more than 165 years. It underlies all aspects of our multidisciplinary approach to serving our clients.
Spanning New England
The firm serves clients ranging from closely held businesses, schools, health care institutions, national insurance companies to individuals. Based in Concord, our attorneys handle a diverse array of legal matters across New England.
Estate Planning and Estate & Trust Administration Attorney, Needham, MA, S. Robert Fish, Jr./Rob Fish
Estate Planning and Estate & Trust Administration Attorney, Beth Lorsbach, Nashua and Concord, NH
Litigation Attorney, Needham, MA, Kevin C. Cain
Insurance Defense and Coverage Attorney, Providence, RI, David W. Zizik
A Long-Standing Pillar In Legal Services
As one of New Hampshire’s oldest law firms, we enjoy a reputation for results, integrity and leadership. The firm’s attorneys bring to the practice robust legal backgrounds and professional recognition.
Learn more about us, our people and our history.
Bridging Traditional And Modern
Because our history of success spans so many decades, we draw on a unique wealth of experience — one few law firms can claim. At the same time, we remain forward-thinking, always adapting to the demands of changing times. This balance provides our clients with the best of both worlds.
On Facebook Now
New Hampshire Insurance Data Security Law Goes into Effect January 1, 2020
By Marrielle Van Rossum
Governor Sununu recently signed into law SB 194, an act creating RSA 420-P and establishing New Hampshire’s Insurance Data Security Law. Beginning January 1, 2020, state-licensed insurers must implement cybersecurity measures and then, one year later, ensure that their vendors provide appropriate safeguards to protect private information held by third-party service providers.
An information security program should be commensurate with the size and complexity of the insurance licensee and the scope of its activities. Based on their risk assessment of foreseeable internal and external threats, licensees must develop a program to mitigate the identified risks that includes controlling access of nonpublic information to authorized personnel, restricting access to physical nonpublic information, encrypting all other nonpublic information being sent over an external network, and regularly testing and modifying the system as needed, among other things. Personnel should undergo cybersecurity awareness training.
Information security programs must include a written incident response plan for responding to and recovering from any system compromise. If an event occurs, the licensee or an appropriate outside vendor must investigate it promptly and identify what nonpublic information may have been involved. The licensee also must notify the Insurance Department Commissioner of a cyber security event within three days if the licensee is domiciled in New Hampshire or if at least 250 New Hampshire residents were potentially affected by the breach. Records of all cybersecurity events, including investigation and mitigation, must be preserved for five years following the date of the event. Licensees must be able to produce those records to the Commissioner upon request.
Several exemptions apply, including exemptions for licensees composed of less than 20 employees, continuing care retirement communities, and banks and credit unions that have established procedures and safeguards in compliance with the Gramm-Leach-Bliley and Fair and Accurate Credit Transaction Acts. Additionally, there are two safe harbors: Licensees will be deemed compliant with RSA 420-P with respect to protected health information if the insurer already complies with HIPAA and its associated regulations. Additionally, licensees that certify compliance with New York’s Cybersecurity Requirements for Financial Services Companies law will be deemed to comply with RSA 420-P.
In passing SB 194, New Hampshire joins the ranks of states that have adopted similar cybersecurity measures since the National Association of Insurance Commissioner’s released its model law in 2017. Delaware, Michigan, New York, Ohio, and South Carolina previously adopted this model, and this trend is likely to continue nationwide.
If you have questions about this new law or other cybersecurity matters, please contact Kevin O’Shea or Sarah Murdough. Both may be reached at (603) 223-2800. Insurance and Reinsurance Group Co-Chairs Alexander Henlin and Barbara O'Donnell are also available.
