Continuum GRC

Growing Number of States Passing Insurance Data Security Laws

Continuum GRC 0 Comment
Growing Number of States Passing Insurance Data Security Laws

Insurers operating in multiple states must comply with a patchwork of state-level legislation patterned after the NAIC’s Insurance Data Security Model Law

In 2017, the National Association of Insurance Commissioners (NAIC) developed the Insurance Data Security Model Law in response to a growing number of cyber incidents within the insurance industry. Similar to the NIST CSF, the NAIC Model Law is voluntary unless a state elects to codify its guidelines into legislation. In 2018, South Carolina became the first state to get on board.

Two years later, more states are passing versions of the NAIC Model Law or their own data security laws targeting insurers. Connecticut, Delaware, and New Hampshire are the latest to jump into the fray, with Connecticut patterning its legislation after the cyber security regulations the State of New York passed in 2017 targeting the finance and insurance industries, and the other states using the NAIC Model.

What’s in the NAIC Model Law?

The purpose of the NAIC Model is to establish a uniform set of standards for data security, breach investigation, and breach notification within the insurance industry. The model includes guidelines regarding security testing, implementing a information security plan, assessing cyber risks, incident response, and breach notification procedures. The NAIC Model applies to “licensees,” a broad category that includes companies ranging from large insurance carriers to small, independent adjusters.

The NAIC Model law requires licensees to develop and maintain a comprehensive, written, and customized “Information Security Program” based on a risk assessment and containing administrative, technical, and physical security controls. The NAIC Model provides a number of guidelines for security controls, which licensees must adhere to as “appropriate” based on the results of their risk assessment:

  • Adopt secure development practices for in-house application development.
  • Restrict access at physical locations to authorized personnel.
  • Utilize technical access controls to restrict access to covered data on information systems.
  • Encrypt or protect by “other appropriate means” covered data that is transmitted over an external network or stored on a laptop computer or other portable computing or storage device.

Licensees must also include cyber risks in their enterprise risk management processes and notify their state insurance commissioner of a cybersecurity event within 72 hours.

It’s important to note that the NAIC Model Law applies to “nonpublic information,” which covers a much broader range of data than “personal information.” In addition to personal information, such as Social Security Numbers, driver’s license information, and customer health information, nonpublic information includes “business related information of a Licensee the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Licensee.”

Insurers must grapple with a patchwork of state-level data security laws

While state-level insurance data security laws are similar, there are significant differences that insurers need to be aware of. For example, the NAIC Model Law exempts licensees with fewer than 10 employees. However, New Hampshire exempts licensees with fewer than 20 employees, and Delaware’s law exempts those with fewer than 15. Michigan set the magic number at 25 and also excluded independent contractors; Connecticut is taking a phased approach.

Some states have also modified the NAIC’s suggestion of a 72-hour breach notification deadline. Licensees in Connecticut, Delaware, and Ohio have three business days, while Michigan insurers have 10 days.

When the NAIC unveiled the Model Law, its goal was to get all states to pass a version of it within three years. Regardless of whether the NAIC reaches its target, insurers should expect more state-level legislation on data security and privacy and prepare to adjust accordingly.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Awareness Continuum GRC

Are You Ready for the California Consumer Privacy Act (CCPA)?

Continuum GRC 0 Comment

The California Consumer Privacy Act represents a significant milestone for consumer data privacy in the U.S.

Tired of the federal government dragging its feet on consumer data privacy legislation, states have started to take matters into their own hands. The biggest example is the California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020. Ironically, the CCPA was signed into law the day after news of the Exactis data leak broke.

Who must comply with the California Consumer Privacy Act?

The CCPA applies to any for-profit entity “doing business” in the state of California, whether or not they have a physical presence in the state, that meets at least one of the following criteria:

  • Gross annual revenue above $25 million
  • Annually buys, receives, or shares personal information belonging to 50,000 or more California consumers, households, or devices
  • Derives at least half of annual revenue from selling personal information belonging to California consumers

What’s in the CCPA?

 While the CCPA doesn’t go as far as the GDPR, which applies to the entire European Union and not just one member state, it has a lot of moving parts and gives California consumers sweeping new rights regarding their data and what companies do with it. Under the CCPA, California residents will have:

  • The right to know what information companies are collecting, what categories of data will be collected prior to collection, and why they are collecting it. Companies will be prohibited from collecting data from minors under age 16 unless they opt in.
  • The right to prohibit companies from selling their information.
  • The right to know the categories of third parties with whom their data is being shared.
  • The right to know the categories of sources of information from whom their data was acquired.

“Selling” and “personal information” defined very broadly

Businesses should note that under the CCPA, the act of “selling” personal information does not necessarily require that money be exchanged. It also applies to “disclosing, disseminating, making available, transferring,” and more. Companies also won’t be able to get away with burying “do not sell” instructions in a TOS the size of “War & Peace.” The CCPA requires a “clear and conspicuous” section on business websites specifically titled, “Do Not Sell My Personal Information.”

The CCPA also greatly expands the definition of “personal information” to refer to anything that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It then goes on to list a number of specific examples, including IP address, browser history, biometric data, and geolocation data.

Businesses can be fined up to $7,500 for each violation of the CCPA.

As California goes, so goes the nation. Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Rhode Island are among the states that have proposed laws very similar to the CCPA, and enterprises can expect similar legislation or even ballot initiatives in other states.

While January is coming up fast, there’s still time to get ready for the CCPA if you start right now. Businesses that already comply with the GDPR have a leg up on CCPA compliance.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Awareness Continuum GRC

What DoD Contractors Need to Know About the CMMC

Continuum GRC 0 Comment

The DoD unveiled its proposed Cybersecurity Maturity Model Certification (CMMC) to prevent supply chain attacks

Cyberattacks on the U.S. government’s vast network of contractors and subcontractors pose a serious threat to national security, and the DoD is taking action. The agency tasked NIST with developing a set of guidelines addressing advanced persistent threats against contractors who handle high-value data assets, and it recently unveiled plans for its own set of standards, the Cybersecurity Maturity Model Certification (CMMC).

The DoD unveiled its proposed Cybersecurity Maturity Model Certification (CMMC) to prevent supply chain attacks

What is the CMMC?

The CMMC will be developed in partnership with Johns Hopkins Applied Physics Lab and Carnegie Mellon University Software Engineering Institute. The goal is to combine a number of existing cyber security control standards, such as NIST 800-171, NIST 800-53, ISO 27001, ISO 27032, and FedRAMP, into one unified standard.

In addition to assessing a contractor’s implementation of controls, the CMMC will also assess the maturity of the company’s institutionalization of cybersecurity practices and processes. Assessments will be conducted by third-party auditors, and companies will receive a score indicating the maturity and sophistication level their controls. There will be five CMMC levels, ranging from “Basic Cybersecurity Hygiene” to “Advanced.”

The DoD has indicated that the CMC will be a dynamic framework so that it is able to adapt to new and emerging cyber threats. A neutral third party will be responsible for maintaining the standard.

How will the CMMC affect DoD contractors?

DoD prime contractors have been held to higher cyber security standards since 2017, but typically, those primes outsource some of their work to subcontractors, who then have subcontractors under them. It’s these contractors, at tier two or below, that the CMMC is primarily aimed at. Many times, they are small companies that do not have robust cyber security defenses, which is why hackers target them. However, while the DoD has stressed that all areas of the federal supply chain must be secured, they have not yet gone into specifics regarding how the CMMC will flow down to subcontractors.

The DoD wants to implement CMMC in January 2020, include CMMC level requirements in RFIs by June 2020, and include them in sections L and M of RFPs by September 2020. CMMC levels will be used as a “go/no-go decision.”

The CMMC level required will depend on the nature of the CUI (controlled unclassified information) the contractor will be handling or processing. However, all companies conducting business with the DoD will be required to be CMMC certified, even if they do not handle CUI.

Recognizing that smaller subcontractors may be on tight budgets, the DoD is striving to make CMMC certification affordable. Additionally, IT security will be an allowable expense on contracts moving forward, so companies can modify their rates to reflect the new standards.

Getting ready for the CMMC

The DoD is conducting a “CMMC Listening Tour” to solicit feedback from defense contractors; sessions are currently scheduled through August.

Early preparation for the new requirements will be the key to success. Now is the time to reevaluate your data environment, cyber security policies and procedures, and compliance processes. Since the CMMC will be partially based on NIST 800-171, ensuring that your company meets at least those standards will make the CMMC certification process smoother.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.