NH Insurance Data Law Goes Into Effect 1/1/20

By Marrielle Van Rossum

Governor Sununu recently signed into law SB 194, an act creating RSA 420-P and establishing New Hampshire’s Insurance Data Security Law.  Beginning January 1, 2020, state-licensed insurers must implement cybersecurity measures and then, one year later, ensure that their vendors provide appropriate safeguards to protect private information held by third-party service providers.

An information security program should be commensurate with the size and complexity of the insurance licensee and the scope of its activities.  Based on their risk assessment of foreseeable internal and external threats, licensees must develop a program to mitigate the identified risks that includes controlling access of nonpublic information to authorized personnel, restricting access to physical nonpublic information, encrypting all other nonpublic information being sent over an external network, and regularly testing and modifying the system as needed, among other things.  Personnel should undergo cybersecurity awareness training.

Information security programs must include a written incident response plan for responding to and recovering from any system compromise.  If an event occurs, the licensee or an appropriate outside vendor must investigate it promptly and identify what nonpublic information may have been involved.  The licensee also must notify the Insurance Department Commissioner of a cyber security event within three days if the licensee is domiciled in New Hampshire or if at least 250 New Hampshire residents were potentially affected by the breach.  Records of all cybersecurity events, including investigation and mitigation, must be preserved for five years following the date of the event.  Licensees must be able to produce those records to the Commissioner upon request.

Several exemptions apply, including exemptions for licensees composed of less than 20 employees, continuing care retirement communities, and banks and credit unions that have established procedures and safeguards in compliance with the Gramm-Leach-Bliley and Fair and Accurate Credit Transaction Acts.  Additionally, there are two safe harbors:  Licensees will be deemed compliant with RSA 420-P with respect to protected health information if the insurer already complies with HIPAA and its associated regulations.  Additionally, licensees that certify compliance with New York’s Cybersecurity Requirements for Financial Services Companies law will be deemed to comply with RSA 420-P.

In passing SB 194, New Hampshire joins the ranks of states that have adopted similar cybersecurity measures since the National Association of Insurance Commissioner’s released its model law in 2017.   Delaware, Michigan, New York, Ohio, and South Carolina previously adopted this model, and this trend is likely to continue nationwide.

If you have questions about this new law or other cybersecurity matters, please contact Kevin O’Shea or Sarah Murdough.  Both may be reached at (603) 223-2800.   Insurance and Reinsurance Group Co-Chairs Alexander Henlin and Barbara O’Donnell are also available.