Happy First Day of Spring! Ohio Insurance Law Effective Today
Posted on March 20, 2019
Ohio recently followed South Carolina as the second state to adopt cybersecurity legislation modeled after the NAIC’s Insurance Data Security Model Law. The Ohio law, Senate Bill 273, applies to insurers authorized to do business in Ohio and goes into effect today, March 20, 2019 (the first day of Spring). Companies have, under the law, a year to put the security measures into place. The law, like the NAIC model, requires insurance providers to take several steps to protect personal information, including conducting risk assessments and having a written information security program and incident response plan. Smaller insurers -those with less than 20 employees, less than $5 million in gross annual revenue, and less than $10 million in assets- are exempt from the security program requirements. HIPAA-compliant companies are also exempt from the program requirements. The law impacts how companies select third-party service providers, and requires certification of compliance annually.
The law also contains provisions that relate to data breaches, namely that companies conduct an investigation in the event of a “cybersecurity event,” defined as attempted access into an information system or to nonpublic information stored on an information system. Exempted out of an event is if the nonpublic information was not “used,” “released,” or was “returned or destroyed.” Companies must notify the state insurance regulator at least three days after determining a cybersecurity event happened. Ohio’s general data breach notification requirements must also be followed. The Insurance law also includes the same safe harbor provisions as the general breach law, which we wrote about last year.
PUTTING IT INTO PRACTICE: We anticipate more states will follow Ohio and South Carolina, putting into place specific data security requirements for insurance providers, as well as provisions about how to handle “cybersecurity events.”
Court Finds Cybersecurity-Related Claims Sufficient in Securities Class Action
Posted on February 6, 2019
In the aftermath of Equifax’s data breach, a federal court recently found that allegations of poor cybersecurity coupled with misleading statements supported a proper cause of action. In its decision, the U.S. District Court for the Northern District of Georgia allowed a securities fraud class action case to continue against Equifax. The lawsuit claims the company issued false or misleading statements regarding the strength and quality of its cybersecurity measures. In their amended complaint, the plaintiffs cite Equifax’s claims of “strong data security and confidentiality standards” and “a highly sophisticated data information network that includes advanced security, protections and redundancies,” when, according to the plaintiffs’ allegations, Equifax’s cybersecurity practices “were grossly deficient and outdated” and “failed to implement even the most basic security measures.” The court found that data security is a core aspect of Equifax’s business and that investors are likely to review representations on data security when making their investment decisions.
Key factors the court considered in allowing the case to continue were:
• Statements on the company’s website and in SEC filings that it maintained “strong data security” and strong controls;
• The company’s inadequate software patch management process;
• Failure to encrypt sensitive data;
• Inadequate authentication measures, such as weak passwords and lack of multi-factor authentication;
    31
Eye on Privacy 2019 Year in Review