Ohio Enacts New Cybersecurity Requirements for Insurers
Senate Bill 273 goes into effect on March 20, 2019, and creates new requirements for Ohio insurance companies, including health insurance plans, to develop and implement specific information security programs to safeguard nonpublic business and personal information. Senate Bill 273 is based upon the National Association of Insurance Commissioners’ Insurance Data Security Model Law (also referred to as "MDL-668"). With the enactment of Senate Bill 273, Ohio has become the second state to adopt a version of MDL-668, joining South Carolina. Senate Bill 273 is codified at new Ohio Revised Code Chapter 3965.
Development of Information Security Programs
Senate Bill 273 applies to all individuals or non-governmental entities required to be authorized, registered, or licensed under Ohio insurance laws (defined as “Licensees”). All Licensees will be required to develop, implement, and maintain a comprehensive written information security program, based on the Licensee's internal risk assessment, to safeguard the Licensee’s nonpublic information, which is defined as business and personal information, the disclosure of which would harm the business or expose certain personal details of a customer. Nonpublic information includes health information, financial information, or certain identifiers such as social security or bank account numbers. A Licensee’s information security program is required to be proportional “with the size and complexity of the Licensee, the nature and scope of the Licensee's activities including its use of third-party service providers, and the sensitivity of the nonpublic information used by the Licensee or in the Licensee's possession, custody, or control.” Only smaller Licensees that have fewer than 20 employees, less than $5 million in gross annual revenue, or less than $10 million in revenue are exempt from these requirements.
At a minimum, a Licensee’s information security plan is required to do the following:
Senate Bill 273 also requires Licensees to include the following as a part of their information security program:
Cybersecurity Event Notification Requirements
Senate Bill 273 requires Licensees to notify the Ohio Superintendent of Insurance upon the occurrence of a “cybersecurity event.” A cybersecurity event is defined as “an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the Licensee.” The Licensee is required to notify the Ohio Superintendent of Insurance no later than three business days after the determination of the occurrence of a cybersecurity event if the Licensee is domiciled in Ohio. Additionally, Licensees are required to notify the Ohio Superintendent of Insurance in the event the cybersecurity event impacts 250 or more Ohio consumers and requires notification to be provided to any government body or agency.
Cybersecurity event notices are required to include as much of the following information as possible:
In addition to these notification requirements, the Licensee is required to notify Ohio residents of the cybersecurity event in accordance with the existing requirements set forth at Ohio Revised Code § 1349.19. The Ohio Superintendent of Insurance is required to receive a copy of any cybersecurity event notices sent to individuals.
Certification of Compliance and Affirmative Defenses
Senate Bill 273 requires each insurer domiciled in Ohio to submit to the Ohio Superintendent of Insurance a written statement certifying compliance with all of the above information security program requirements by February 15 each year. Insurers domiciled and licensed exclusively in Ohio may include this information in their corporate governance annual disclosure form, which is required to be submitted to the Ohio Superintendent of Insurance by June 1 each year. All records supporting compliance with Senate Bill 273 are required to be kept by the insurer for at least five years and are required to be available for inspection by the Ohio Superintendent of Insurance.
Licensees that meet all of the requirements of Ohio Senate Bill 273 are deemed to have implemented a cybersecurity program that reasonably conforms to an industry-recognized cybersecurity framework for the purposes of Chapter 1354 of the Ohio Revised Code. This provides the Licensee with an affirmative defense to any cause of action based on a tort action brought under the laws of Ohio or in an Ohio court alleging the failure to implement reasonable information security controls resulted in a data breach concerning personal information or restricted information.
Licensees subject to and compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules (45 C.F.R. Parts 160 and 164) are deemed to meet the bill's requirements. These Licensees can submit a written statement to the Ohio Superintendent of Insurance certifying their compliance with the HIPAA privacy and security rules. Licensees subject to HIPAA are still required to comply with the requirements regarding the notification of cybersecurity events.
Licensees will have one year to come into compliance with the new requirements, with the exception of the certain provisions applicable to third party service providers, which will afford two years for Licensees to comply with those provisions. The Ohio Superintendent of Insurance is authorized to adopt any new regulations required to carry out the requirements of Senate Bill 273.
If you have any questions as to how the new Ohio cybersecurity law for insurance companies will impact your organization, please contact your Dinsmore health care attorney.
 O.R.C. § 3965.01(M)
 See, O.R.C. 3965.01(O)
 O.R.C. § 3965.02 (A)
 O.R.C. §§ 3965.01 and 3965.02(A) and (B)
 O.R.C. § 3965.02(C).
 O.R.C. § 3965.01(E)
 O.R.C. § 3965.04(A)
 O.R.C. § .04(B)(1)
 O.R.C. § .04(B)(2).
 O.R.C. § 3965.02(I)
 O.R.C. §§ 3965.03(C) and (D).
 O.R.C. § 3965.02(I)
 O.R.C. § 3965.02(F)
Link to article
- Resolutions of the Hungarian data protection authority imposing fines under the GDPR (21 June 2019)
- New UAE Regulatory Policy for the Internet of Things
- Ninth Circuit Rules ERISA Pension Plan Must Pay Survivor Benefits to Registered Domestic Partner
- Fake Meat Good, Fake News Bad
WSG Member: Please login to add your comment.