Wisconsin's New Insurance Data Security Law
Cyberattacks on organizations with large consumer databases have been on the rise recently. This is certainly true for the insurance industry, which also has been migrating more business to online platforms in an effort to keep pace with the increasingly digital world in which we live. The insurance industry is an appealing target for cybercriminals and other bad actors due to the vast wealth of personally identifiable information held by the industry. Wisconsin’s new insurance data security law seeks to address these issues by providing guidelines for the industry on new data security policies, processes, and systems.
Who Must Comply?
- Any person or entity that is licensed, registered, or authorized with the Office of the Commissioner of Insurance, referred to as a Licensee, with some exceptions:
- Entities affiliated with depository institutions that are in compliance with federal guidelines
- Entities covered under and in compliance with HIPAA if they treat all nonpublic consumer information in the same manner as protected health information
- Entities in compliance with the federal Farm Credit Administration data security guidance
- Entities with less than $10 million in year-end total assets
- Entities with less than $5 million in gross annual revenue
- Entities with fewer than 50 employees (including independent contractors)
- A third-party contracted by an Licensee to manage information systems and nonpublic information
What is Required?
The new law requires Licensees to conduct a risk assessment of their practices and systems and to find ways to manage these risks. One way that Licensees must manage risks is to develop and implement an Information Security Program that details plans for responding to a cybersecurity incident and investigating the incident. This program must be reviewed and adjusted regularly. Licensees must take the following actions:
- Conduct a Risk Assessment
In order to shore up any vulnerabilities to an unintentional disclosure or leak of nonpublic information, Licensees must first thoroughly assess their own internal policies, procedures, and information systems to identify those vulnerabilities by November 1, 2022. This assessment should 1) identify reasonably foreseeable internal and external threats, 2) assess the likelihood and potential damage of these threats, and 3) evaluate the adequacy of current policies, procedures, and systems as they relate to employee training, information system management, and the detection of and response to attacks or system failures.
- Implement Risk Management Strategies
By November 1, 2022, Licensees must develop an information security program, must implement new security measures, and must remain vigilant regarding emerging risks.
- Develop an Information Security Program
First, a Licensee must have an information security program. This program should be shaped by the risks identified in the risk assessment described above, and should include physical, procedural, and technical safeguards for all nonpublic information. The ultimate goal of the program is to encourage Licensees to defend against security threats, diminish the likelihood of harm by these threats, determine when and how to store nonpublic information, and destroy information once it is no longer needed.
- Implement New Security Measures
Second, a Licensee should identify and implement security measures that are appropriate in light of the information in question and the potential risks to it. This includes technological controls, like the encryption of data, multi-factor authentication for employees accessing nonpublic information, and audit trails within information systems to detect cybersecurity events and trace their impact. Licensees should also establish physical controls like restricting physical access to secured areas, protecting against destruction of data due to environmental disasters or technological failures, and managing the devices and facilities from which the information is accessible. There should also be procedural controls against the release of information, like implementing regular testing and monitoring of systems to detect attacks and developing practices for the secure disposal of nonpublic information.
- Remain Vigilant regarding New Threats
Third, a Licensee should remain proactive in preparing itself for future threats. This is done in a number of ways. The Licensee must designate a specific party as being responsible for the information security program, who in turn must help the Licensee stay informed regarding emerging threats and try to safeguard against them. Another key part of preparing for future threats is reassessing the effectiveness of existing security measures annually. Most importantly, cybersecurity risks must be factored into employee training, security measures when sharing information, and enterprise risk management software. All this must be in place by November 1, 2022.
- Create an Incident Response Plan
By November 1, 2021, Licensees must have a response plan in place to address and resolve a cybersecurity incident as it is occurring. This written plan must:
- Include the goals of the plan;
- Explain how an employee should respond to the event;
- Provide guidance on which parties will make decisions and the responsibilities of each party;
- Detail external and internal communication policies;
- Require relevant parties to identify the weaknesses revealed by the event and remedy them;
- Give instructions regarding the documentation of the event;
- Give instructions to reevaluate and revise the plan after the event.
- Respond to Cybersecurity Incidents
Should a cybersecurity event occur on or after November 1, 2021, a Licensee must investigate to determine what information was accessed, how many consumers were exposed, and how system security can be restored. The Licensee must also be prepared to promptly notify several parties.
Within three business days of the discovery of a cybersecurity event, the Licensee must notify the Commissioner of Insurance if it believes that more than 250 consumers could be materially harmed by the breach, or if it is bound to notify another governmental agency or regulatory body by state or federal law. The Licensee must disclose any details known about the breach, including when it occurred, how it was discovered, how private information was disclosed, what type of information was disclosed, and the number of consumers affected by it. The notification must also include details about how the Licensee investigated and addressed the event, whether another governing body was notified and how it will notify consumers affected, as well as the contact information for a person familiar with the event that can act on the Licensee’s behalf.
The Licensee must notify consumers affected by the event within a reasonable period of time, not to exceed forty-five days. If the event affected over 1,000 consumers, the Licensee must notify all consumer reporting agencies operating on a nationwide basis of information on the notices sent to consumers.
For guidance and advice on implementing changes to your policies, procedures, and information systems in light of changing state law, please contact your current Quarles & Brady counsel or:
- William Toman: (608) 283-2434 / william.toman@quarles.com