October 23, 2021

Volume XI, Number 296

Advertisement
Advertisement

October 22, 2021

Subscribe to Latest Legal News and Analysis

October 21, 2021

Subscribe to Latest Legal News and Analysis

October 20, 2021

Subscribe to Latest Legal News and Analysis

Insurance Cybersecurity Certifications: A State Roundup

Many states require insurance providers registered to do business in their states to complete annual certifications of compliance. The deadline in New Hampshire is comping up, and is on March 1. Alabama, Delaware, Louisiana, Michigan, Mississippi, Ohio, and South Carolina deadline was February 15. (The deadline under Virginia’s new law will be February 15 as well, starting in 2023.) The deadline in Indiana and New York is April 15.

This certification requirement is captured in the model National Insurance Data Security Law endorsed by the National Association of Insurance Commissioners. That model law, and those states that have implemented it, require insurers not only to have information security programs in place, but also to attest compliance. There are some exemptions, including for small businesses with fewer than ten employees, licensees subject to and in compliance with HIPAA requirements, and employees, agents, and representatives of licensees. As part of the certification process, companies typically need to submit written confirmation that they comply with the law, and thus have, among other things:

  • A comprehensive written information security program commensurate with the company’s size and complexity

  • A written incident response plan

  • Employee training

  • Appropriate oversight by the company’s board of directors

Once submitted, companies must maintain the records and data supporting their certifications. In most states that retention period is five years.

Putting it Into Practice: When fulfilling certification obligations, companies should keep in mind the underlying requirements to which they are certifying. Now, in the midst of certification season, is a good reminder to regularly take stock of ongoing compliance obligations and efforts.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 49
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

James Fazio Intellectual Property Attorney Sheppard Mullin Law Firm
Special Counsel

James Fazio is special counsel in the Intellectual Property Practice Group in the firm's San Diego (Del Mar) office.

Areas of Practice

James focuses on intellectual property and business litigation. He represents public and private companies in disputes such as those involving patent and trademark infringement, theft of trade secrets, fraud, breach of contract, unfair competition, false advertising and various business tort claims. James has more than 24 years of litigation experience and was selected by his peers among the top ten intellectual property...

858.720.7418
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Advertisement
Advertisement
Advertisement