Share this article on:
From March 20, 2019, insurance companies in Ohio will be subject to a new law (Senate Bill 273) that requires them to develop and implement a written information security program to safeguard business and personal information.
The information security program must include a comprehensive internal risk assessment to identify risk and threats to systems and data. Following the risk assessment, safeguards must be implemented to protect all nonpublic information that would cause a material adverse impact to business operations or could cause harm to customers if the information were to be exposed or accessed by unauthorized individuals.
Nonpublic information includes financial information, health information, and identifiers such as Social Security numbers, driver’s license numbers, state ID cards, biometric information, account numbers, credit/debit card numbers, security/access codes that permit access to a financial account, and any information (except age or gender) that is created by or derived from a healthcare provider or consumer that could be used to identify an individual in relation to physical/mental health, the provision of healthcare, or payment for healthcare.
The security program must ensure the security of information and information systems is protected, that threats to the security and integrity of information and information systems are mitigated, safeguards must be implemented to prevent unauthorized data access, and a mechanism must be put in place to ensure nonpublic information is permanently destroyed when no longer required.
Licensees are required to designate a party to be responsible for the security program and must identify reasonably foreseeable threats that could threaten the confidentiality, integrity, and availability of nonpublic information. Risks must be assessed for the likelihood of a breach and potential damage that could be caused. Risks must be managed, and safeguards put in place to manage threats must be assessed to ensure they are sufficient. Safeguards’ key controls, systems, and procedures must be reassessed at least annually to ensure they remain effective.
The security program should reflect the size and complexity of the licensee, the nature of its activities, the use of third-party service providers, and the sensitivity of the data.
If a security event is experienced that results in unauthorized access to information systems or nonpublic information that has a reasonable likelihood of resulting in material harm to a consumer or could have an adverse effect normal business operations, the Ohio Superintendent of Insurance must be notified within three days of the discovery of incident if the Licensee is based in Ohio. The Ohio Superintendent of Insurance must also be notified of a security event that affects 250 or more Ohio residents or warrants a notification to a government agency. Notifications must also be issued to consumers affected by the security incident in accordance with other state laws.
The new law applies to all individuals and non-government entities that are licensed under insurance laws in Ohio that have 20 or more employees, more than $5 million in gross annual revenue, or more than $10 million in assets.
Entities that are in compliance with the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to be in compliance with Senate Bill 273.
Licensees will be given one year to comply with the new requirements. The effective compliance date is therefore March 20, 2020.