On May 1, 2019 Alabama S.B. 54 came into law in the State of Alabama that heightened standards for cybersecurity, data privacy, and for the insurance industry in the state. The law is based on the Insurance Data Security Model Law of the National Association of Insurance Commissioners (NAIC). Alabama insurers have until May 1, 2020 to implement the information security requirements of S.B 54. For third-party service providers; they have until May 1, 2021 to implement. The technical aspects of the insurance data security law includes enhancing authentication controls, network intrusion/prevention, and system audit logs. All these elements within the model law are focused on protecting the confidentiality, integrity, and availability of nonpublic data.
Entities not regulated by the Alabama Department of Insurance are not impacted by the new law, but must still comply with Alabama current cybersecurity law under Ala. Code. Sec. 8-38-1 – 8-38-12.
Personal Information Clause
Under the new law, Alabama insurers will be subject to a new definition of personal information. “Nonpublic information” refers to any electronic information that is not publicly available concerning a consumer which, because of the name, number, or other identifier, can be used to identify the consumer in combination with any of the following elements:
- Biometric records
- Social Security Number
- Financial account number, credit card, or debit card number
- Security code, access code, or password that would permit access to consumer’s financial account or to conduct a transaction that will credit or debit the financial account
- Driver’s license number or Alabama identification card number
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
- Any information or data, except age or gender, derived from a health care provider that can be used to identify a particular consumer that relates to: Past, present, or future physical, mental, or behavioral health of a consumer or member of the consumer’s family, Provision of health care to any consumer, or Payment for the provision of health care to any consumer.
- An individual’s health insurance policy number or subscriber identification number, and any unique identifier used by a health insurer to identify the individual.
Additional Requirements
The new law requires that licensees must maintain and implement a written information security program, including an incident response plan. Penalties for non-compliance can be levied by the Commissioner, and it is within the purview of the Commissioner to examine and investigate to determine if a licensee is in violation of the provisions of the law.
Exceptions
Companies with fewer than 25 employees, less than $5 million in gross annual revenue, less than $10 million in year-end total assets, or those that can provide a written statement that they are HIPAA compliant, are exempt from the provisions of the new law.
Cybersecurity and Investigation
Alabama Department of Insurance regulated entities are required to notify the Commissioner as soon as possible, no later than three business days from a cyber-event involving nonpublic information that is in the possession of the licensee has occurred. If the event affected over 1,000 individuals a written notice must be made to the Alabama Office of the Attorney General.
Under the NAIC Model Law, organizations are required to implement an information security program designed to:
- Prevent unauthorized access to or the utilization of nonpublic information, and minimize the likelihood of harm to any consumer.
- Protect the security and confidentiality of nonpublic information and the security of the information system.
- Protect against any threats or hazards to the security or integrity of nonpublic information and the information system.
- Organizations must designate and periodically reevaluate a schedule for retention of nonpublic information and have in place a mechanism for the destruction of nonpublic information when no longer needed.
Under NAIC in its risk management section it requires organizations in states to also do the following:
- Adopt secure development practices for in-house developed applications
- Ensure audit trails are designed to detect and respond to events
- Have in place a comprehensive backup and recovery measures to protect against destruction, loss, or damage of data.
- Identify and manage the data, personnel, devices, systems, and facilities
- Place access controls on information systems
- Restrict access at physical locations
- Utilize effective controls such as multi-factor authentication
Other Important Provisions
Under Alabama S.B. 54 Act there are other important provisions such as:
- Government entities are subject to the Act as well and must provide notice in line with the provisions of the law.
- Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation or national security, and the law enforcement agency has submitted a written request for the delay. The law enforcement agency may revoke the delay as of a specified date or extend the delay, if necessary.
- The Attorney General has exclusive authority to bring an action for civil penalties under the Act.
Data Breach Penalties
If notification is required by a covered entity and it fails to act, it could face fines of up to $5,000 a day. However, a “knowing or reckless disregard” for complying with notification requirements could result in fines of up to $500,000 per breach.
Course of Action
This law will affect mid-market insurers that are not subject to Sarbanes-Oxley (SOX) Act the most, as many do not have the provisions of the law in place. With adoption and implementation imminent, it’s important to understand how these regulations might apply to your organization.
Businesses need to establish a team responsible for overseeing and implementing, as well as perform a risk assessment and assess the current state of cybersecurity risks and controls.
Insurers also need to evaluate third party service providers and implement the appropriate administrative, technical, and physical measures to support security.