In an effort to help business owners maintain compliance, this is the latest in a series of articles that provide a state-by-state analysis of data security and privacy regulations.
Important new cybersecurity laws have been passed in Connecticut and New Hampshire that affect insurance carriers, producers, and other businesses licensed by the Connecticut Insurance Department ("CID") and the New Hampshire Insurance Department ("NHID"). The laws, both titled "Insurance Data Security Law," take effect in Connecticut on October 1, 2020, and in New Hampshire on January 1, 2021. The laws differ slightly with Connecticut's taking cues from the New York Department of Financial Services regulations and New Hampshire using the 2018 Model Act published by the National Association of Insurance Commissioners ("NAIC").
The laws require companies to establish comprehensive cybersecurity risk management programs that will identify threats and inform and prioritize remediation efforts. Many of the requirements go beyond the typical internal controls organizations have in place in their environments. For example, insurers must establish and implement an information security program, including:
Insurers are also required to submit written statements certifying that the insurer complies with the defined requirements to the commissioners at least annually.
Though the program components primarily represent a self-assessment exercise, the laws do give the Departments of Insurance the authority to "examine and investigate" any licensee and take "action that is necessary or appropriate" if it has reason to believe a licensee is not compliant.
Given the wide-ranging and stringent requirements of these laws, it makes sense to leverage third-party compliance experts to help you build or extend your information security program to include these provisions.
If you would like to get alerts and insights like this sent directly to your inbox, sign up here.