As of May 1, 2019, Alabama became the latest state to sign into law heightened standards within the insurance industry for cybersecurity and data privacy. The new Law implements an exhaustive set of requirements for data security pertaining to entities or individuals licensed through the Department of Insurance. Both persons and institutions have one year—until May 2020—to implement the necessary information security requirements outlined in the statutes. This deadline extends until May 1, 2021, for third-party service providers to introduce the required controls included within the statute.

What do These Changes Mean?

The new Law only makes a handful of changes to the largely influential National Association of Insurance Commissioners’ Insurance Data Security Model Law. A significant part of the Law now requires licensed insurance providers to implement a written information security program for their organization. This security program considers a variety of factors to determine what is “reasonable” by addressing requirements for security program reviews, annual risk assessments, breach response, business continuity planning, and employee training. The security program for each licensee now calls for in-depth documentation and routine reviews to check for potential updates and changes. The goal is to ensure the overall cybersecurity consideration for risk management efforts.

These incident response plans must include a process that specifically outlines incident response, defined responsibilities and roles for team members, and distinct requirements for the remediation, reporting process, and documentation of both the incident and the response provided by the licensed entity or individual. An investigation of the cybersecurity event is required to be completed, along with the retention of all documentation that relates to any involved event for at least five years. This documentation must be available for access by the Department of Insurance.

How is Personal Information Defined?

Just as the Law has changed, so has the definition of personal information. Anything referred to as “nonpublic information” now includes all electronic information that is not available publicly concerning the consumer which, due to the name, number, or other potential identifiers, can be used for identification purposes in combination with other elements. These elements include information like driver’s license number, social security number, credit or debit account number, or information derived from a healthcare provider that can be used in conjunction with these original items to identify a particular consumer.

It is important to note that although the Law now obligates organizations and individuals to maintain written policies and procedures, Alabama’s regulations do not apply to any company with under 25 employees or has annual gross revenue to totals less than $5 million. These requirements (company size, revenue, etc.) will vary from state to state as similar laws continue to pass nationwide. It is recommended that regardless of size or annual revenue, any organization that maintains confidential and personal information of its clients should have some sort of policy in writing that explains response plans pertaining to a potential data breach. By having a cybersecurity process in place, you limit the exposure of customer information should a breach occur.

CRI is Ready to Help

With more and more states beginning to follow suit, it’s essential to stay up-to-date on the latest cybersecurity regulations that could affect your insurance practice. CRI works with your company to assess your current information security policies, provide recommendations on implementing a response plan, and help you maintain compliance under the new Law. If you’re unsure whether or not your state has passed these regulations, be sure to reach out to a CRI cybersecurity advisor for more information.