Cybersecurity regulators appear to be converging on 72-hour breach notification. First it was the European Union’s General Data Protection Regulation (“GDPR”), then it was the New York Department of Financial Services (“NYDFS”) cybersecurity rules, and now the National Association of Insurance Commissioners (“NAIC”) have adopted the Insurance Data Security Model Law (“Model Law”) – all with a 72-hour breach notification requirement.
We have previously posted about how the Model Law closely tracks the NYDFS cybersecurity rules, which went into effect on August 28, 2017.
Both regimes require covered entities to maintain a written cybersecurity policy, implement a risk-based cybersecurity program, conduct regular risk assessments, provide notice of a cyber breach within 72 hours, and certify compliance annually. And both differ from other state cybersecurity regulations by expanding their definition of nonpublic information to include business-related information, in addition to personal information.
In some respects, the Model Law even goes beyond the NYDFS rules. For example, under the Model Law, any Cybersecurity Event – defined as “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System” – triggers the 72-hour notification requirement, while the NYDFS rules require notification only when the company has suffered an attack that would trigger notice to a different regulatory authority or has a “reasonable likelihood of materially harming any material part of the normal operation” of the institution, which can be a higher standard. So, for example, a ransomware attack that does not expose confidential information, but does cause some non-material disruption to a company’s computer system, would not generally require notification under the NYDFS rules or state laws, but may require notification under the Model law.
Moreover, the Model Law would lead to regulation that requires companies to conduct a prompt investigation where a cybersecurity event has or may have occurred. That investigation must include determining whether a cybersecurity event has occurred, assessing the nature and scope of the event, and identifying any nonpublic information that may have been involved. As those involved in these kinds of investigations well know, in many cases, they are inconclusive, so knowing when you are in compliance with the investigation requirement may be tricky.
The Model Law will apply to Licensees of a state only if that state enacts it into law, but it is expected that some version of the Model Law will be introduced next year in several states’ legislatures, adding to the already crowded overlapping array of federal and state cybersecurity regulations to which many companies are subject. We will provide updates here of any important developments in this area.