New Hampshire Data Law Extends Security Requirements to Insurance Providers
New Hampshire signed into law Senate Bill 194-FN, the Insurance Data Security Law, on August 2, 2019, which requires insurers licensed in New Hampshire to implement an information security program, investigate cybersecurity events, and report such cybersecurity events to the New Hampshire insurance commissioner. This law is effective January 1, 2020, however insurers have until January 1, 2021, to implement its requirements.
The law applies to “any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered” under New Hampshire insurance law, which the law refers to as licensees. In many respects the law has parallels to the security program and reporting requirements of the Health Insurance Portability and Accountability Act (“HIPAA”), applicable to entities providing healthcare. The law protects nonpublic information, which is information that is not publically available information (as further defined in the law) and is:
(a) Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify such consumer, in combination with any one or more of the following data elements:
(1) Social Security number.
(2) Driver’s license number or non-driver identification card number.
(3) Financial account number, credit or debit card number.
(4) Any security code, access code or password that would permit access to a consumer’s financial account.
(5) Biometric records; or
(b) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to:
(1) The past, present or future physical, mental or behavioral health or condition of any consumer or a member of the consumer’s family;
(2) The provision of health care to any consumer; or
(3) Payment for the provision of health care to any consumer.
Security Program
Licensees are required to implement a security program “commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party services providers, and the sensitivity of the nonpublic information” held by licensee. Like HIPAA, the security program must be based on the licensee’s risk assessment and contain administrative, technical, and physical safeguards for the protection of nonpublic information. Moreover, as part of the security program, the licensee must exercise due diligence in selecting its third-party service providers and require these third-party service providers to implement appropriate administrative, technical, and physical measures to protect nonpublic information held by it. Notably, the requirements applicable to third-party service providers do not take effect until January 1, 2022.
Cybersecurity Event Investigation
If a licensee leans that there is unauthorized access to, disruption or misuse of, an information system or nonpublic information stored on such information system (a “cybersecurity event”), the license must conduct a prompt investigation. At a minimum, the investigation shall determine whether a cybersecurity event has occurred, assess the nature and scope of the event, identify the information involved, and perform/oversee reasonable measures to restore the security of the information systems. This investigatory requirement also extends to a licensee’s third party service providers.
Cybersecurity Event Reporting
The final major component of the new law is a requirement to report cybersecurity events. A licensee must make a report to the insurance commissioner within three business days of a determination of a cybersecurity event. Reporting obligations are triggered if there is a reasonable likelihood of harm to a New Hampshire resident or reasonable likelihood of harm to the licensee’s normal business operations, if the licensee is domiciled in New Hampshire. Alternatively, if the licensee is not domiciled in New Hampshire, the reporting obligations are triggered if 250 or more New Hampshire residents are affected and the event impacts the license or is reasonably likely to harm a New Hampshire resident or the normal operations of the licensee’s business. Notification must be made to affected New Hampshire residents in accord with the state’s breach notification law.