On August 2, 2019, New Hampshire became the most recent of many states that adopted an Insurance Data Security Law (Senate Bill 194-FN) modeled after the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. New Hampshire Governor Chris Sununu signed Senate Bill 194-FN (SB194) into law requiring insurance companies licensed in NH (“Licensees”) to implement information security programs, and to report cybersecurity events. SB194 goes into effect on January 1, 2020 and permits Licensees one year from the effective date to implement the requisite information security programs and two years from the effective date to require third-party service providers to implement appropriate measures to protect and secure information systems and nonpublic information.
Although SB194 adopts much of the language of NAIC’s Insurance Data Security Model Law, NH did not adopt the Model Law wholesale. Below are comparisons of key components to the Model Law and SB194:
|NAIC Model Law||SB194|
|“Cybersecurity Event” Definition||“[A]n event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.”
Excludes: (1) the unauthorized acquisition of Encrypted Nonpublic Information if the encryption, process or key is not also acquired, released or used without authorization; and (2) an event with regard to which the Licensee has determined that the Nonpublic Information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
|“[A]n event resulting in unauthorized access to, disruption or misuse of, an information system or nonpublic information stored on such information system.”
Same exclusions as the NAIC Model Law.
|Entities Subject to the Law||Insurance licensees of a state.||Entities licensed under New Hampshire insurance law.|
|Third Party Service Provider Policy||Insurance licensees must provide oversight of third party service provider arrangements including due diligence and requiring third party service providers to implement appropriate administrative, technical, and physical measures to secure Information Systems and Nonpublic Information.||Same as NAIC Model Law.|
|Certification||Licensees domiciled within a state must certify compliance annually by February 15.||NH domiciled licensees must certify compliance annually by March 1.|
|Breach Notification – Deadline||No later than 72 hours after determining that a cybersecurity event has occurred.||Same as NAIC Model Law.|
|Breach Notification – Triggering Events||When either of the following criteria has been met:
1. The state is the licensee’s state of domicile or home state, or
2. The licensee reasonably believes that the nonpublic information involved is of 250 or more consumers residing in the state, and either of the following are met:
a. The event requires notice to be provided to a government body, self-regulatory agency, or any other body under state or federal law, or
b. The event has a reasonable likelihood of materially harming:
i. Any consumer residing in the state, or
ii. Any material part of the operations of the licensee.
|Substantially the same as NAIC Model Law.|
|Exception – Size||Fewer than 10 employees, including any independent contractors.||Fewer than 20 employees, including any independent contractors.|
|Exception – HIPAA Compliance||A licensee subject to HIPAA that has established and maintains an information security program pursuant to HIPAA will be considered to meet the information security program requirements of the Model Act.||A licensee subject to HIPAA will be considered to meet the requirements of SB194, but must continue to comply with, the commissioner notification requirements.|
|Exceptions – Other||An employee, agent, or designee of a licensee who is also a licensee is exempt from the information security program portions of the Model Act and need not develop its own Information Security program to the extent that it is covered by the information security program of another licensee.||An employee, agent, or designee of a licensee who is also a licensee is exempt from the information security program portions of the Model Act and need not develop its own Information Security program to the extent that it is covered by the information security program of another licensee.
Continuing care retirement community, life settlement providers, and portable electronics insurance vendors are exempt.
A licensee that is a bank or a credit union, to the extent it involves insurance, that has established and maintains programs and procedures regarding administrative, technical, and physical safeguards for customer information prescribed by the Gramm-Leach-Bliley Act and the Fair and Accurate Credit Transaction Act of 2003, and that is subject to periodic examination by its federal regulatory authorities.