October 6, 2022

Volume XII, Number 279


October 06, 2022

Subscribe to Latest Legal News and Analysis

October 05, 2022

Subscribe to Latest Legal News and Analysis

October 04, 2022

Subscribe to Latest Legal News and Analysis

Vermont Enacts Insurance Data Security Law

On May 27, 2022, Vermont Governor Phil Scott signed H.515, making Vermont the twenty-first state to enact legislation based on the National Association of Insurance Commissioners Insurance Data Security Model Law (“MDL-668”). The Vermont Insurance Data Security Law applies to “licensees”—those licensed, authorized to operate or registered, and those required to be licensed, authorized or registered, under Vermont insurance law, with few exceptions. The new law generally follows MDL-668’s provisions, adopting the model law’s broad definition of nonpublic information and requiring licensees to, in part, maintain a written information security program (“WISP”) and investigate cybersecurity incidents. Unlike other state laws based on MDL-668, however, the Vermont Insurance Data Security Law declines to establish separate cybersecurity event notification requirements for licensees.

Information Security Program Requirements

Under the new law, licensees must develop, implement and maintain a comprehensive WISP that contains administrative, technical and physical safeguards for the protection of nonpublic information and the licensee’s information system. Licensees must conduct a risk assessment to create a WISP “commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the nonpublic information.” Among other requirements, licensees’ information security programs will be required to:

  • monitor emerging threats or vulnerabilities and use reasonable and appropriate security measures when sharing nonpublic information;

  • annually assess the effectiveness of existing information safeguards;

  • designate an employee, affiliate or outside vendor that is responsible for the information security program;

  • provide cybersecurity awareness training to personnel and update the training as necessary;

  • conduct due diligence when selecting third-party service providers, who must be required to implement appropriate administrative, technical and physical measures to protect licensees’ information systems and nonpublic information;

  • develop and periodically reevaluate a retention schedule and destruction mechanism for nonpublic information; and

  • establish a written incident response plan.

Licensees must annually certify their compliance with these information security program requirements in writing to the Vermont Deputy Commissioner of Insurance (the “Commissioner”) by April 15 and maintain records supporting the certification for five years. If a licensee has a board of directors, it also must provide the board with an annual written report on the WISP, compliance with the Vermont Insurance Data Security Law and other material matters related to information security.

Cybersecurity Event Investigation and Notification Requirements

Under the law, licensees must promptly investigate actual and potential cybersecurity events and undertake reasonable corrective measures. Licensees must maintain records about these cybersecurity events for at least five years. However, unlike MDL-668 and other state laws based thereon, the law does not impose notification obligations on licensees following a cybersecurity event. Instead, licensees are bound by the notification requirements of the Vermont Security Breach Notice Act, 9 V.S.A. § 2435.

Certain Licensees Are Exempt from the Law’s Requirements

Licensees will be exempt from the law’s information security program requirements if they (1) have fewer than 20 employees, including independent contractors; (2) are subject to HIPAA, maintain a HIPAA-compliant information security program and submit an annual written certification to the Commissioner; (3) are an employee, agent or representative of another licensee that is covered by the other licensee’s information security program; or (4) can produce documentation, as requested by the Commissioner, that they are subject to and in compliance with the interagency guidelines establishing standards for safeguarding customer information as set forth under the Gramm-Leach-Bliley Act.

Licensees are wholly exempt from the law if they are compliant with the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies (23 NYCRR §§ 500.0 to 500.23) and they submit a written statement to the Commissioner certifying such compliance.

Enforcement and Penalties Under the Law

The law is to be enforced by the Commissioner and does not contain a private right of action. The Commissioner can investigate licensees to determine if they have violated the law, suspend or revoke the licensee’s license, report violations to the Vermont Attorney General for prosecution and issue administrative penalties of $1,000 per violation or $10,000 per willful violation.

The law will go into effect on January 1, 2023. However, licensees will have until January 1, 2024 to comply with the information security program requirements and until January 1, 2025 to implement the third-party diligence requirements.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 160

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct