October 30, 2020

Volume X, Number 304

Advertisement

October 29, 2020

Subscribe to Latest Legal News and Analysis

October 28, 2020

Subscribe to Latest Legal News and Analysis

October 27, 2020

Subscribe to Latest Legal News and Analysis

New Ohio Insurance Law Effective Today

Ohio recently followed South Carolina as the second state to adopt cybersecurity legislation modeled after the NAIC’s Insurance Data Security Model Law. The Ohio law, Senate Bill 273,applies to insurers authorized to do business in Ohio and goes into effect today, March 20, 2019 (the first day of Spring). Companies have, under the law, a year to put the security measures into place. The law, like the NAIC model, requires insurance providers to take several steps to protect personal information, including conducting risk assessments and having a written information security program and incident response plan. Smaller insurers -those with less than 20 employees, less than $5 million in gross annual revenue, and less than $10 million in assets- are exempt from the security program requirements. HIPAA-compliant companies are also exempt from the program requirements. The law impacts how companies select third-party service providers, and requires certification of compliance annually.

The law also contains provisions that relate to data breaches, namely that companies conduct an investigation in the event of a “cybersecurity event,” defined as attempted access into an information system or to nonpublic information stored on an information system. Exempted out of an event is if the nonpublic information was not “used,” “released,” or was “returned or destroyed.” Companies must notify the state insurance regulator at least three days after determining a cybersecurity event happened. Ohio’s general data breach notification requirements must also be followed. The Insurance law also includes the same safe harbor provisions as the general breach law, which we wrote about last year.

Putting it Into Practice: We anticipate more states will follow Ohio and South Carolina, putting into place specific data security requirements for insurance providers, as well as provisions about how to handle “cybersecurity events.”

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume IX, Number 79
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Amber Thomson, Sheppard Mullin Law Firm, Litigation Attorney
Associate

Amber C. Thomson is an associate in the Business Trial Practice Group in the firm's Washington, D.C. office.

202-747-2658
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Elfin Noce Business Trial Attorney
Associate

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm's Washington, D.C. office.

Practices

  • Litigation

Industries

  • Communications

Education

  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000

Admissions

  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri

202.747.2196
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077
Advertisement
Advertisement