Growing Majority of States Have Insurer-Specific Data Breach Requirement: Lawyers

Missouri Gov. Mike Parson (R) signed an insurance data security bill (HB-974) into law on July 2. The new policy “will establish standards for insurers and licensed entities regarding data security, breach investigations, and notification protocols when it takes effect on” Jan. 1, wrote the law firm’s Randall Coffey, Daniel Pepper and Jillian Seifrit. Similar legislation is pending in Idaho, they said.

“These [state insurance department] requirements are separate and in addition to the existing data breach statute requirements in all states, but they raise the bar significantly,” they added. “What sets them apart? Accelerated reporting timelines, more stringent compliance standards, and a broader definition of nonpublic information that goes beyond most states’ definitions of personally identifiable information.”

Under the Missouri law, for example, licensees must notify the state’s insurance director within four business days of a cybersecurity event involving nonpublic information, in certain circumstances, said the lawyers: That requirement would apply when the licensee or insurer is based in Missouri and the incident will likely materially harm a Missouri resident or business. It would also apply if the licensee reasonably believes that the breach affected the nonpublic personal information of more than 250 Missourians and is either required to report to another state or federal entity, or the event is reasonably likely to harm a Missouri consumer or business.