In the News
New Cybersecurity Law in Effect in Ohio
The law requires insurers to create a comprehensive information security program.
- Timothy Darragh
- April 2019
New cybersecurity requirements to guard against data breaches went into effect last month for insurance companies, agents and other licensed entities in Ohio.
Based on the National Association of Insurance Commissioners' model data security law, the measure requires insurers to create a comprehensive information security program based on their risk assessment, according to a legislative analysis by the Ohio Legislative Service Commission.
The law requires a written incident response plan designed to help companies respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity or availability of non-public information, the analysis says. Former Ohio Gov. John Kasich signed Senate Bill 273 in December after it passed the legislature. The law is effective March 20.
The measure requires licensees or outside vendors working for the licensees to conduct a prompt investigation when a breach appears to have occurred. Licensees will be required to report the incident to the superintendent of Insurance as soon as possible, but no more than three days after the event, the analysis says.
Approved plans will be deemed “industry-recognized” and gives licensees an affirmative defense if it is alleged in court to have failed to implement a reasonable security plan.
Ohio Legislative Service Commission
It also spells out what information must be reported, including when the event occurred, how the information was compromised, whether the licensee has filed a police report and a best estimate of the total number of consumers potentially affected.
Insurers also will be required to document areas that need material improvement or updating, it said.
The superintendent of insurance will have the authority to review the written plans and reports, and the measure authorizes the superintendent to take “any necessary or appropriate action to enforce the bill's requirements,” it said.
Approved plans will be deemed “industry-recognized,” it said, and gives licensees an affirmative defense if it is alleged in court to have failed to implement a reasonable security plan.
Licensees that have fewer than 20 employees, less than $5 million in gross annual revenue or less than $10 million in assets are exempt, it said. Licensees have a year to comply with the measure and two years to certify that third-party providers take their own steps to secure their systems, it said.
The NAIC adopted its model law in 2017.
South Carolina became the first state to pass a law based on the model less than a year later.