As predicted, 2019 has seen the expansion of more state-specific legislation relating to cybersecurity and data protection. What started with Ohio’s safe harbor law has rapidly spread to more states, especially in the midwest. Some industries are moving faster than others - what we’ve seen in New York with 23 NYCRR 500 and the financial services industry has moved to the midwest and the insurance industry.
Ohio Safe Harbor Law
As we’ve reported on in the past, Ohio passed a bill in 2018 that grants safe harbor to Ohio businesses that suffer a breach despite having implemented an approved list of standards and frameworks. Specifically, this law granted defense against causes of action under Ohio law specifically. However, this law led the way for many states to begin enacting their own forms of data security, protection, and privacy. As we’ve seen with California, Washington, and a host of others, many states are using their faster legislative process to protect their constituents while the federal government looks to a more wide-ranging solution.
Ohio’s Data Protection Act laid the foundation for the next iteration of legislation around cybersecurity and data protection, specifically in the insurance industry.
The Insurance Data Security Model Law
The Insurance Data Security Model Law (shortened to Model Law) was developed in part by the National Association of Insurance Commissioners (NAIC). Following the catastrophic breaches of Anthem, Premera Blue Cross, and others the NAIC realized the criticality of the personal data that insurance companies store.
In October of 2017, the NAIC ratified the Model Law for all insurance companies in the same way that HIPAA protects healthcare information. While more of a framework than a law until an individual state adopts it, the Model Law drew inspiration from the NYDFS 23 NYCRR 500 with some key differences. What is remarkable about the Model Law and its applied embodiments (more on that), is the shift from checkbox compliance to risk-based thinking. Both 23 NYCRR 500 and the Model Law rely heavily on organizations conducting consistent, if not continuous, risk assessments to inform their cybersecurity strategy. What this signals is the recognition that every organization is different, and to think that one list of controls will secure an industry is outdated.
Insurance Data Should Keep The Midwest Up At Night
Just as California has the highest concentration of technology companies, and therefore the highest concern for consumer data privacy, it is a great concern for the midwest what happens to insurance customer data. The midwest territory commands some of the biggest names in insurance and to date regulations around insurance has largely been underdeveloped. Moving forward, we can expect to see states follow Ohio and Michigan’s lead - whether they take the safe-harbor (carrot) approach of Ohio or the more traditional fine (stick) approach of Michigan, we can expect to see more and more states adopting the outline of the Model Law.
Navigating The Crossroads of State and Industry Regulations
The landscape of state- and industry-specific regulations is only going to get more complicated and the reactionary approach is not going to work. What is encouraging, though, is the way these regulations hinge on risk assessments over checkbox compliance. Furthermore, these governing bodies (NAIC and NYDFS) are not designing these regulations in a vacuum - you can expect to see more regulations start to interplay together more and more. In the same way that the Model Law drew from 23 NYCRR 500, you can expect that more and more regulations with use that approach. The common thread though? The NIST CSF. As we explored before, the language of the NYDFS regulation and the Model Law draws from the CSF at its core. While the incident reporting timelines may differ, the approach to risk and compliance management continues to make the NIST CSF the gold standard. If you want to ensure that you’re ready for the next regulation, and want to build for the future, start building on the NIST CSF today.
The CyberStrong platform is the only integrated risk management platform that is built on the NIST CSF and allows you and your team to operationalize any framework while benchmarking against that gold-standard. Alongside the CSF, CyberStrong uses NIST 800-30 methodology to streamline your risk assessments and AI backed remediation plans to show you a clear path to security.