On April 10, 2020, the New Hampshire Insurance Department released Bulletin INS 20-013-AB (the “Bulletin”), providing additional guidance regarding the submission of certifications in accordance with RSA 420-P Insurance Data Security Law.

RSA 420-P, enacted during the 2019 session, became effective January 1, 2020.  (For a full discussion of RSA 420-P, please see our August 2019 post here.)  The Bulletin provides guidance regarding the information security program, filing annual certifications, and safe harbor exceptions.

Information Security Program

By January 1, 2021, licensees (unless excepted) are required to develop, implement, and ‎maintain a comprehensive written information security program that complies with the ‎requirements of RSA 420-P:4.  The Insurance Data Security law contains several exceptions, including:

  • A licensee with fewer than 20 employees, including any independent contractors, are exempt;
  • An employee, agent, representative, or designee of a licensee, who is also a licensee, are exempt, and need not develop its own program to the extent that the employee, agent, representative, or designee is covered by the information security program of the other licensee;
  • A continuing care retirement community, as defined by RSA 420-D, are exempt;
  • A life settlement provider, as defined by RSA 408-D, are exempt;
  • Bank or credit union licensees that implement administrative, technical, and physical safeguards under ‎the Gramm-Leach-Bliley Act (GLBA) and Fair and Accurate Credit Transaction Act of 2003 (FACTA) are ‎exempt;‎
  • A motor vehicle retail seller or a motor vehicle sales finance company, as defined in RSA 361-A, are exempt, and those provisions of this chapter that apply to a motor vehicle retail seller or a motor vehicle sales finance company apply only to the extent that it involves insurance; and
  • A vendor, as defined under RSA 402-K:1, are exempt.

If a licensee ceases to qualify for an exception, the licensee has 180 days to comply with the ‎requirements of RSA 420-P:4.

Annual Certification for Domestic Insurers

As of March 1, 2021, all New Hampshire domiciled insurers are required to submit a written statement to the Commissioner certifying that the ‎insurer is in compliance with the requirements of RSA 420-P:4.  Insurers may complete their certification using the “New Hampshire Insurance Data Security Law Information Security ‎Program Certification Form.”‎

According to the Bulletin, “if the insurer has (1) established and maintains an information security program that is compliant ‎with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and with Parts 160 ‎and 164 of Title 45 of the Code of Federal Regulations for protected health information and ‎maintains other nonpublic consumer information in the same manner, or (2) established and ‎maintains an information security program that is compliant with N.Y. Comp. Codes R. & Regs. ‎Title 23, section 500, the “New Hampshire Insurance Data Security Law Exception Certification ‎Form” may be submitted in the place of the certification form.‎”

Insurers may find these forms online at https://www.nh.gov/insurance/legal/cybersecurity.htm.  The annual certification ‎must be submitted no later than March 1, 2021, along with an insurer’s annual financial statement.‎

Written Statements Certifying Compliance for All Other Licensees‎

As of January 1, 2021, all licensees must have an Information Security Program that meets the requirements of RSA 420-P:4,‎ unless the licensee is excepted ‎pursuant to RSA 420-P:9, or satisfies a safe harbor provision, pursuant to RSA 420-P:10 or RSA 420:P:11.  The exemption pursuant to RSA 420-P:9 is described above.  The safe harbor provision applies to licensees that are compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and/or the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500).

Licensees other than domestic insurers are not required to submit annual compliance certifications.  Regardless, all licensees are recommended to have their information security program and any ‎corresponding documentation available in the event the New Hampshire commissioner requests their ‎production.‎

Additionally, for licensees other than domestic insurers, the Bulletin states:

Any licensee that (1) establishes and maintains an information security program in compliance ‎with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and with Parts 160 ‎and 164 of Title 45 of the Code of Federal Regulations for protected health information and ‎maintains other nonpublic consumer information in the same manner, or (2) establishes and ‎maintains an information security program in compliance with N.Y. Comp. Codes R. & Regs. ‎Title 23, section 500 must submit a written statement to the Department certifying compliance with ‎either RSA 420-P:10 or RSA 420-P:11.  This written statement may be submitted by filling out the ‎‎”New Hampshire Insurance Data Security Law Exception Certification Form” available online at ‎https://www.nh.gov/insurance/legal/cybersecurity.htm.  All exception forms for licensees must be ‎filed no later than March 1, 2021.  Licensees that are not domestic insurers only need to file the ‎Exception Certification Form with the Department once.‎

Please let us know if you have any questions related to the requirements of New Hampshire RSA 420-P Insurance Data Security Law.