From the Office of Brian: Alabama Passes New Insurance Data Security Law…is this the beginning?

From the Office of Brian: Alabama Passes New Insurance Data Security Law…is this the beginning?

This past May, Governor Ivey signed the Insurance Data Security Law (Act 2019-98) which requires heightened standards within the insurance industry for cybersecurity and data privacy. Under this new law, insurers must develop and implement an information security program, report certain cybersecurity events to the Commissioner of Insurance (Commissioner), and provides for civil penalties under certain conditions.

The new law is based on the Insurance Data Security Model Law of the National Association of Insurance Commissioner (NAIC). The NAIC Model establishes both technical and non-technical standards that address the response and prevention of a cybersecurity event.

An essential requirement under the law is the requirement to establish a comprehensive information security program. The program would include implementation of an incident response plan designed to respond to, and recover from promptly, any cybersecurity event where nonpublic data may be compromised. The licensee must have the capability to properly prevent, investigate, and notify appropriate parties when a cybersecurity event occurs.

The technical aspects of the insurance data security law includes enhancing authentication controls, network intrusion/prevention, and system audit logs. All these elements within the model law are focused on protecting the confidentiality, integrity, and availability of nonpublic data.

This adoption of this insurance data security law represents what will likely be a trend within specific industries regulated by State or Federal Agencies. The FTC has recently begun taking comments on proposed changes to the Safeguards Rule and Privacy Rule under the Gramm-Leach-Bliley Act. These changes would create new, prescriptive security obligations for companies which qualify under the broadened definition of a financial institution.

If your organization is not prepared for the data security conversation, then it is time to put it on the agenda before it becomes the agenda. Our partners at Christian and Small Attorneys also published an article  on the insurance data security change. Have questions on how this will effect your firm? We have got the answers.