New Hampshire Governor Chris Sununu recently signed the New Hampshire Insurance Data Security Law, which “establishes the exclusive state standards applicable to licensees for data security, the investigation of a cybersecurity event…, and notification to the commissioner.” The law is applicable to all persons or entities licensed, authorized to operate, registered or required to be licensed, authorized or registered, pursuant to the insurance laws of the State of New Hampshire. It becomes effective on January 1, 2020.
The law requires insurance companies to implement an Information Security Program (ISP) that contains administrative, technical and physical safeguards to protect non-public information and includes a security risk assessment. The ISP must include:
- a program to manage the threats identified in the risk assessment, including encryption and multi-factor authentication;
- cybersecurity awareness training;
- due diligence in hiring third parties and requiring those third parties to implement security measures; and
- an incident response plan.
Licensees are required to investigate cybersecurity events, and notify the Commissioner within three days “of a determination that a cybersecurity event has occurred,” defined to mean, actual knowledge that the event occurred. Insurance companies are required to provide the Commissioner with a copy of any notification letter that is sent to any consumers under the New Hampshire data breach notification law.
The Commissioner has the right to investigate any cybersecurity event of a licensee to determine if it has been in violation of the law, and “may take action that is necessary or appropriate to enforce the provisions of the law.”
Licensees exempted from the law include:
- covered entities that have fewer than 20 employees
- an employee who is also a licensee
- a continuing care retirement community
- a life settlement provider
- a licensee that is a bank or credit union covered by Gramm-Leach-Bliley or the Fair Credit Reporting Act
- a motor vehicle retail seller or finance company
- a vendor, as defined under RSA 402-K:1.
There is also a safe harbor for HIPAA-covered entities and companies covered by the New York Department of Financial Services Cybersecurity Regulations.
Licensees have until December 31, 2021, to implement an Information Security Program and until December 31, 2022 to implement a vendor management program, including to “exercise due diligence in selecting its third-party service provider” and requiring the third party to implement a data security program.
Based upon our experience with similar requirements in the Massachusetts data security regulations, it takes more time than you think to map all of the vendors that have access to data and to get written confirmation or contractual provisions in place to comply with this requirement, so you may wish to consider starting the process now.