New Ohio Law Creates Comprehensive Cybersecurity Requirements for Insurers

Ohio took a major step toward regulating the cybersecurity practices of insurers in the state. The Ohio Legislature passed Senate Bill 273 (the “Law”)[1] in December of 2018, with the measure taking effect on March 20, 2019. The Law creates a number of cybersecurity requirements for Ohio insurers including the implementation of an information security program, new data breach notification requirements, and third-party due diligence obligations. The Law also notably creates an affirmative defense or “safe harbor” to tort action stemming from a data breach for insurers that comply with the provisions of the Law.

Risk Assessment and Information Security Program

The Law creates a new requirement for “licensees” (insurers authorized to do business in Ohio, but excluding a purchasing or risk retention group chartered and licensed in another state, and an assuming insurer domiciled in another state) to “develop, implement, and maintain a comprehensive written information security program.”[2] The Law further requires that a licensee conduct a risk assessment to determine the scope of its respective information security program.[3] The Law defines an information security program as “administrative, technical, and physical safeguards that a licensee uses to . . . process, protect, store . . . or otherwise handle nonpublic information.”[4]

The Law requires that the information security program meet a number of objectives, including:
 

1. Protecting the security and confidentiality of nonpublic information and the security of the information system;
2. Protecting against any threats or hazards to the security or integrity of nonpublic information and the information system;
3. Protecting against unauthorized access to or use of nonpublic information and minimizing the likelihood of harm to any consumer; and
4. Defining and periodically reevaluating a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.[5]

Additionally, the Law requires the information security program to meet several requirements such as the designation of a party to be responsible for the program, identification of reasonably foreseeable internal or external threats to nonpublic information, and the annual assessment of the key controls, systems, and procedures put in place to safeguard nonpublic information.[6]

Third-Party Due Diligence

The Law requires a licensee to conduct proper due diligence in selecting third-party service providers as a part of its respective information security program.[7] This third-party due diligence requires a licensee to ensure that third-party service providers it engages implement appropriate and effective safeguards to protect and secure the information systems and nonpublic information to which those third-parties may have access.[8]

Incident Response Plan and Breach Notification Requirements

The Law not only requires a licensee to develop an incident response plan, but also to notify the Ohio Superintendent of Insurance (“Superintendent”) of any “cybersecurity event.” As part of a licensee’s information security program, it is required to establish an incident response plan for any potential “cybersecurity event” (i.e., data breach).[9] In the event of a cybersecurity event, a licensee is required to conduct a “prompt investigation” of the cybersecurity event to determine the scope of the event.[10]
One of the more notable provisions in the Law is the heightened data breach notification requirement for licensees. In Ohio’s general data breach notification law, there is no obligation to notify any governmental or regulatory agency of a data breach. However, in the case of a licensee doing business in Ohio, the Law requires notification be delivered to the Superintendent no later than seventy-two (72) hours after determination that a cybersecurity event occurred when either of the following criteria are met:
 

1. Ohio is the licensee’s state of domicile and the cybersecurity event has a reasonable likelihood of materially harming a consumer or a material part of the normal operations of the licensee; or
2. The licensee reasonably believes that the nonpublic information involved in the event relates to two hundred and fifty (250) or more Ohio consumers and the event is either:
   • An event of which notice is required to be provided to any authority under state or federal law; or
   • An event that has a reasonable likelihood of materially harming an Ohio consumer or a material part of the normal operations of the licensee.[11]

Notification to the Superintendent must include specific information about the cybersecurity incident pursuant to an enumerate list of required information in the Law.[12]

Board of Directors Accountability and Certification of Compliance

The Law creates a number of obligations holding licensee board of directors accountable for their respective information security programs. The Law requires a board of directors or the appropriate committee of the board to ensure executive management “develop, implement, and maintain” an information security program, and develop a written report annually on the status of the program and any material matters related to it.[13]

Additionally, the Law requires a licensee domiciled in Ohio to annually submit a written statement certifying compliance with the requirements of the Law to the Superintendent.[14] A licensee will further be required to maintain all records, schedules, and data supporting the certification of compliance for a period of five (5) years in order to facilitate future inspection by the Superintendent.

Cybersecurity Safe Harbor

Another noteworthy provision in the Law is the “safe harbor” for licensees who are in compliance with the information security program requirements. A safe harbor is a legal standard established in statute that, if satisfied, will protect a business from certain liability. This provision may look familiar, because a similar, general cybersecurity measure was signed into law in Ohio in August 2018. To learn more about the general cybersecurity safe harbor, please click this link.

The Law states that if a licensee meets its statutory requirements, then it is “entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state . . . and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning nonpublic information.”[15] As a result, a licensee that successfully meets all of the requirements of the Law cannot be held liable for any damages to an individual stemming from a data breach under Ohio law.

Exemptions

The Law contains important exemptions for certain licensees. First, the Law explicitly exempts licensees that meet the following criteria:
 

1. the licensee has less than twenty (20) employees;
2. the licensee has less than five million dollars ($5,000,000) in gross annual revenue; and
3. the licensee has less than ten million dollars ($10,000,000) in assets, measured at the end of the licensee’s fiscal year.[16]

Additionally, licensees that comply with the federal Health Insurance Portability and Accountability Act (“HIPAA”) are deemed to be compliant with the requirements of the Law, except for the Superintendent breach notification requirement.[17] Such HIPAA-compliant licensees are required to certify their compliance with HIPAA to the Superintendent and must retain records certifying their compliance for a period of five (5) years.[18]

Conclusion

With the increase of cyberattacks over the last few years, it is critical for licensees doing business in Ohio to have robust safeguards in place to protect consumer nonpublic information in order to reduce the risk of liability for their businesses. With the Law taking effect this month and preliminary certification of compliance with the information security program requirements coming thereafter, licensees need to work with their IT departments, boards of directors, and legal counsel to develop a robust compliance program.

Ice Miller has the cybersecurity professionals and experience to help clients implement comprehensive information security programs and qualify for the cybersecurity safe harbor. To speak to an attorney, please contact Nicholas Merker. 

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.