Ohio’s new law requiring insurance providers to take steps to protect personal information recently went into effect March 20, 2019. Ohio now follows South Carolina as the second state to adopt legislation modeled after the NAIC’s Insurance Data Security Model Law.
The law, codified at new Ohio Revised Code Chapter 3695, applies to all individuals or non-governmental entities required to be authorized, registered, or licensed under Ohio insurance laws (defined as “licensees”). Only smaller licensees that have fewer than 20 employees, less than $5 million in gross annual revenue, or less than $10 million in assets are exempt from these requirements. The law requires licensees to “develop, implement, and maintain a comprehensive written information security program…contain[ing] administrative, technical, and physical safeguards for the protection of nonpublic information.” Nonpublic information includes health information, financial information, or certain identifiers such as social security or bank account numbers.
The law also contains provisions that relate to data breaches, namely that companies conduct an investigation in the event of a “cybersecurity event,” defined as attempted access into an information system or to nonpublic information stored on an information system. Exempted out of an event is if the nonpublic information was not “used,” “released,” or was “returned or destroyed.” Companies must notify the Ohio Superintendent of Insurance no later than three days after determining a cybersecurity event happened. Additionally, licensees are required to notify the Ohio Superintendent of Insurance in the event the cybersecurity event impacts 250 or more Ohio consumers and requires notification to be provided to any government body or agency. The statute further outlines what information the cybersecurity event notice must include. There is also an annual certification requirement by which, on February 15 of each year, each insurer domiciled in Ohio must submit to the Ohio Superintendent of Insurance a written statement certifying that the insurer is in compliance with the requirements set forth in the new law. Insurers must maintain records concerning all cybersecurity events for a period of at least five years from the date of the event.
Keep in mind that the already-existing requirements of Ohio’s general data breach notification law must also be followed, which requires licensees to notify Ohio residents of the cybersecurity event. The new insurance law also includes the same safe harbor provisions as the general breach law. Insurers should be on the lookout if other states follow South Carolina and Ohio’s lead and adopt cybersecurity legislation modelled after the NAIC’s model law.