Tennessee has enacted the National Association of Insurance Commissioner’s (“NAIC”) Insurance Data Security Law. The new Tennessee law is based on the model law that was finalized in October 2017, and requires Tennessee-licensed insurers to develop and implement written information security programs, and investigate and provide notice of specified cybersecurity events to the insurance commissioner and consumers. With the addition of Tennessee, the model law has been successfully adopted by 18 states, with several failed attempts in other states. We will likely see more states rapidly adopt the model law, because the U.S. Treasury has recommend a 2022 deadline for adoption of uniform data security regulations for the insurance industry.
a “Licensee” under Tennessee’s Insurance Data Security Law
A “licensee” under the law is a person: licensed, authorized to operate, or registered pursuant to laws governing insurance in Tennessee (or required to be). A “licensee” does not include a purchasing group or risk retention group chartered and licensed in another state or a person acting as an assuming insurer and domiciled in another state or jurisdiction
New Requirements of Tennessee-licensed Insurers
The law requires licensees to:
- Conduct risk assessments;
- Develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for the protection of the nonpublic information and the licensee’s information system.
- Monitor, evaluate, and adjust their information security program, consistent with relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to its information, the licensee’s changing business arrangements, and changes to information systems.
- Include cybersecurity risks in the enterprise risk management process;
- Remain informed regarding emerging threats or vulnerabilities to the licensee and utilize reasonable security measures when sharing information, relative to the nature of the sharing and the type of information being shared; or;
- Provide personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment
- Provide personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment.
- Provide its board of directors, if it has one, a written report (at least once a year) detailing status of the licensee’s information security program and compliance with law; and material matters related to the licensee’s information security program;
- Exercise due diligence in selecting third-party service providers and require all third-party service providers to implement appropriate safeguards to protect and secure their information systems and nonpublic information;
- Submit a written certification to the Commissioner of the Department of Commerce and Insurance by April 15 each year that the licensee is in compliance with this law;
- Maintain all records, schedules, and data supporting the certification made to the commissioner for a period of five years from the date of the corresponding certification.
Cybersecurity Events response requirments
The Tennessee Insurance Data Security Law requires licensees to conduct a prompt investigation if they learn that a cybersecurity event has, or may have, occurred. If so, then the licensee (or an outside vendor or service provider designated to act on their behalf) must conduct a prompt investigation. The investigation must:
- Determine whether a cybersecurity event has occurred;
- Assess the nature and scope of the cybersecurity event;
- Identify nonpublic information that may have been involved in the cybersecurity event; and
- Take or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event in order to prevent further unauthorized acquisition, release, or use of nonpublic information in the licensee’s possession, custody, or control.
If a licensee learns that a cybersecurity event has, or may have, occurred in a system maintained by a third-party service provider, then the licensee must complete or confirm, and document, that the third-party service provider has completed the above actions. Insurance licensees must keep records of all cybersecurity events for at least 5 years from the date of discovery. Even if the licensee determines that it was not a cybersecurity event after its investigation, a records of this finding must also be kept for 5 years.
Tennessee Insurance Data Security LawNotification Rules
- The date of the event,
- A description of how the nonpublic information was exposed,
- How it was discovered,
- Whether the information ahs been recovered (and how),
- The identity of the source of the event,
- Whether a police report was filed,
- A description of the information acquired,
- The period the licensee’s system was compromised,
- The total number of consumers affected (or best estimate),
- The results of any review of internal processes,
- Description of remediation efforts,
- The name of the person authorized to act on behalf of the licensee in response,
- A copy of any notice sent to consumers, if required.
- Written Notice
- Electronic Notice (e.g. email): If primary method of communication.
- Substitute Notice: If the cost would exceed $250,000, over 500,000 consumers are affected, or the licensee does not have sufficient contact information. Substitute notice can be achieved by email (if available), posting on the licensee’s website, or notification of statewide media.
Exemptions to Tennessee’s Insurance Data Security Law
The law exempts licensees:
- That employ less than 25 individuals, whether classified as employees or independent contractors;
- With less than $5 million in gross annual revenue or less than $10 million in year-end total assets.
- That are subject to and complies with specified federal laws.
The Tennessee Insurance Data Security Law takes effect on July 1, 2021. However, covered licensees have until July 1, 2022 to implement the comprehensive written information security program and until July 1, 2023 to require all third-party service providers to implement the appropriate safeguards detailed above.
Enforcement power under Tennessee’s Insurance Data Security Law is through the Commissioner of the Department of Commerce and Insurance. The commissioner has the power to investigate licensees to determine whether they have violated the law, as well as enforce penalties for said violations. The law provides for monetary penalties of up to $1,000 per violation, and of up to $25,000 per violation if the violation was intentional.