Client Alert: Ohio’s New Cybersecurity Requirements on Insurers and Other Licensees Set to Take Effect in March

Related Practices

Attorneys & Professionals

Ohio recently added comprehensive cybersecurity requirements to its insurance laws through Substitute Senate Bill 273 (the Ohio Cybersecurity Law), which take effect on or about March 19, 2019 (the Effective Date).  The Ohio Cybersecurity Law is based on, with some modifications, the Insurance Data Security Model Law adopted by the National Association of Insurance Commissioners.  Ohio joins South Carolina and Michigan in recent adoptions of the model law. 

Ohio’s Cybersecurity Law is applicable to any person under Ohio’s insurance laws who is licensed, authorized, or registered to operate, or required to be licensed, authorized, or registered to operate, which includes insurance companies (Licensees).  However, Licensees with less than twenty employees, less than five million dollars in gross annual revenue, or less than ten million dollars in assets are exempt from the law.  

On the heels of high-profile data breaches in the insurance industry, the law establishes broad data security requirements and imposes standards for investigating and reporting data security incidents.  Licensees have one year to comply with most of the new cybersecurity requirements.  Importantly, the law represents the “exclusive state standards and requirements applicable to licensees regarding cybersecurity events, the security of nonpublic information, data security, investigation of cybersecurity events, and notifications to the superintendent of cybersecurity events.”  R.C. § 3965.09.  

The Ohio Cybersecurity Law will have a significant impact on the operations and corporate governance of Licensees.  For example, it requires Licensees to: 

Adopt a Written Cybersecurity Program

Each Licensee is required to develop, implement and maintain a comprehensive written information security program based upon the Licensee’s own risk assessment (the Security Program).  The Security Program should be commensurate with the size and complexity of the Licensee, the nature and scope of the Licensee’s activities, including the Licensee’s use of third-party service providers, and the sensitivity of the nonpublic information used, possessed, or controlled by the Licensee.

Implement Safeguards to Protect Nonpublic Information

The Security Program must contain administrative, technical, and physical safeguards to protect nonpublic information and shall:

Conduct Risk Assessments

Each Licensee must conduct risk assessments that:

Address Certain Security Vulnerabilities

The Licensee must use the outcomes from its internal risk assessment to undertake the following:

Designate Responsibility for Data Security – Starting with the Board of Directors

The Licensee’s Board of Directors, or a committee thereof, must:

Additionally, one or more persons or entities must also be designated to act on behalf of the Licensee and be responsible for the Security Program. 

Increase Diligence over Third Party Providers

Within two years of the Effective Date, Licensees are also required to exercise due diligence surrounding the selection of its various third-party providers that maintain, process, or store nonpublic information or that otherwise have access to the Licensee’s nonpublic information in connection with the services they provide.  Licensees are mandated to require their third-party service providers to implement appropriate administrative, technical and physical measures and safeguards to protect and secure the nonpublic information that is accessible to, or held by, the third-party service provider.

Implement Written Incident Response Plan

Licensees are required to establish and maintain a written incident response plan that is designed to respond to and recover from any cybersecurity event.  The Incident Response Plan must address at least the following:

Report Cybersecurity Events to the Ohio Department of Insurance

If a Licensee learns that a cybersecurity event has or may have occurred, the Licensee is required to conduct a prompt investigation to determine whether the cybersecurity event did in fact occur.  The investigation must assess the nature and scope of the cybersecurity event, identify any nonpublic information that may have been disclosed, and perform reasonable measures to secure the information systems compromised in the cybersecurity event.

The Superintendent of Insurance must be notified as promptly as possible once the Licensee has confirmed a cybersecurity event involving nonpublic information occurred.  However, this prompt notification must be completed within three (3) business days if the Licensee meets certain codified criteria.  The notice must contain as much information as possible about the cybersecurity event and must be updated with material developments as the investigation proceeds.

Licensees must maintain records concerning cybersecurity events for at least five (5) years from the date of the event. 

Importantly, not every cybersecurity event is reportable under the law.  The definition of a “cybersecurity event” excludes instances where the compromised information was encrypted and the encryption, process, or key is not also compromised.  The definition also excludes instances where the Licensee’s investigation determines that the nonpublic information accessed by an unauthorized person has not been used or released and the nonpublic information was returned or destroyed.

Certify Compliance Each Year

Each insurance company domiciled in Ohio, except for an insurance company that is domiciled in Ohio and exclusively licensed in Ohio, shall submit annually, on or before February 15, a written statement certifying that it is in compliance with the Ohio Cybersecurity Law.  An insurance company that is licensed exclusively in Ohio is permitted to include this annual certification as part of its Corporate Governance Annual Disclosure filing due June 1 under Section 3901.073 of the Ohio Revised Code.

Other Key Provisions

In addition to these requirements, the Ohio Cybersecurity Law contains several key provisions to assist with compliance.  For example, Licensees who are covered by the Security Program of another licensee do not have to develop a separate Security Program of their own. In the event a Licensee no longer qualifies for one of the law’s exemptions, the Licensee will have one hundred eighty (180) days after the date it ceases to qualify for the exemption to comply with the cybersecurity requirements.

Licensees who comply with Ohio Cybersecurity Law may also qualify under Ohio’s Data Protection Act for an affirmative defense to certain tort actions.  More information about Ohio’s Data Protection Act is available here.  Additionally, materials furnished to the Superintendent in connection with compliance with the Ohio Cybersecurity Law are considered confidential, privileged, not considered a public record, not subject to subpoena and shall not be subject to discovery or admissible as evidence in any private civil action.  However, the Superintendent may use these documents and other information for regulatory or legal action brought as part of the Superintendent’s duties. 

Next Steps

Licensees should have their IT, legal, and corporate governance teams collaborate to develop a tailored approach to comply with these new robust requirements.  A generic, one-size-fits-all approach will not work.  In addition, directors of Licensees should be promptly advised of the resources and responsibilities that will be necessary to achieve timely compliance.  It should also be understood that the process is organic and will continue to evolve as Licensees’ business and technology change.

This summary is qualified in its entirety by the Ohio Cybersecurity Law and ORC Chapter 3965.  For more information or questions regarding the Ohio Cybersecurity Law and ORC Chapter 3965, or developing a program to comply with this new law, please contact Anthony Spina, Tom Szykowny, John Landolfi, Chris Ingram, or your Vorys attorney.