Jan 3, 2020
N.H. data security law took effect Jan. 1
An insurance data security law based on the National Association of Insurance Commissioners’ model legislation took effect Jan. 1, 2020, and will impact all those licensed in New Hampshire. Nonexempt licensees have until Jan. 1, 2021, to create an information security program.
The law sets out requirements for New Hampshire licensees to follow when a cyber security event occurs and what steps must be taken in order to minimize the chances of a cyber security event occurring. The procedures include prompt notice to the insurance commissioner should a cyber security event affect the nonpublic data of a New Hampshire resident if the licensee is an insurer domiciled in New Hampshire, or a resident insurance producer in New Hampshire. For nonresident producers and insurers domiciled outside the state, notice will be required if a cyber security event affects 250 or more New Hampshire residents.
The law requires a risk assessment and the implementation of an information security program. Licensees with fewer than 20 employees—including independent contractors with access to nonpublic information—will not be required to comply with that section of the law. All licensees who do not qualify for the limited exemption must have their information security programs in place by Jan. 1, 2021. Only insurers will need to file certification with the New Hampshire Insurance Department.
The law includes a safe harbor for any licensee who is compliant with New York’s cyber security regulation (23 NYCRR 500). To comply under the safe harbor, a licensee must submit a written statement to the New Hampshire insurance commissioner certifying compliance with New York state’s regulation. Even licensees who comply with the data security legislation through the safe harbor must comply with the New Hampshire requirements for investigating a cyber security event and commissioner notification requirements.
Do you have a N.Y. nonresident license?
Annual certification of compliance required
According to the New York State Department of Financial Services, regulated entities and licensed persons must file the Certification of Compliance for calendar-year 2019 between Jan. 1 and April 15, 2020. Commencing 2020, the department is extending the deadline for filing the Certification of Compliance from Feb. 15 of each year to April 15 of each year. The department will be issuing a proposed regulation to amend the cyber security regulation to change the Certification of Compliance filing date permanently from Feb. 15 to April 15 of each year commencing 2021 and beyond.
The DFS cyber security regulation (23 NYCRR 500) requires all New York-licensed insurance agencies, agents and brokers to file a Certification of Compliance annually (Section 500.17(b)). The certification confirms that the licensed entity has complied with the regulation to the extent required, which includes conducting a risk assessment and developing cyber security programs and policies based upon that risk assessment. This requirement also affects New York nonresident licensees. The DFS has provided a number of FAQs on the cyber security regulation on its website. NOTE: Agency employees and representatives that filed exemptions under Section 500.19(b) are not required to file annual Certifications of Compliance:
(b) An employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity, is exempt from this Part and need not develop its own cyber security program to the extent that the employee, agent, representative or designee is covered by the cyber security program of the Covered Entity.
PIA has the resources (see your Privacy Compliance Central for access to a library of information on this regulation, including in-depth compliance information; the final regulation; and answers to commonly asked questions; QuickSource documents; as well as information on TAG Solutions‘ Compliance Plus and Do-It-Yourself programs) to help you understand what is expected of you and your agency.
Contact PIA’s Industry Resource Center with any additional questions you may have regarding this regulation.