All insurers doing business in Virginia should be aware of a new law going into effect on July 1, 2020. The Insurance Data Security Act, Va. Code §§ 38.2-621, et seq. (“Act”), imposes various monitoring, reporting and disclosure requirements relating to the personal information of insureds across the state.
This article summarizes the major points of the Act and the new requirements that will be imposed on insurers who do business with Virginians.
The Act is designed to protect what it refers to as “nonpublic information.” This term includes any information that is not publicly available and either (1) relates to the business operations of an insurer such that unauthorized disclosure or access would cause an adverse impact, (2) allows identification and correlation of a consumer’s name, number, or other identifier with that consumer’s social security number, driver’s license number, financial or credit card number, or (3) pertains to health or mental care (including payment records). It does not include age, gender, or any information that is available in public records or required disclosures.
Every insurer doing business in Virginia will be required to maintain a written information security program (ISP). While the scope of the ISP will necessarily depend on the size and complexity of the insurer, the nature of its activities, and the sensitivity of the information it maintains, each ISP must provide for the following at a minimum:
The Act’s scope is not limited to preventative measures. It imposes an investigation requirement with respect to any event that results in unauthorized access, disruption, or misuse of the insurer’s information system or protected information. At a minimum, the investigation must determine whether such an event occurred, assess the nature and scope of the event, identify the compromised information, and oversee reasonable measures to restore system security.
If an insurer learns that information has been compromised, it is required to give notice to the Insurance Commissioner within three days if it is a Virginia corporation, or if 250 or more Virginia residents are affected by the event. The notice must include information such as timing, a description of how the information was compromised, recovery efforts, and law enforcement involvement. A full list of the disclosure requirements is at Va. Code § 38.2-525(B). The insurer must update and supplement the notice as information is learned over the course of the investigation.
The insurer must also provide notice of any compromised information directly to consumers if the information is reasonably likely to be the subject of identity theft or fraud to those consumers. This notice must be provided “without unreasonable delay” after determining or receiving notice that information has been compromised. The notice must (1) narrate the incident in general terms, (2) provide the type of protected information that was compromised, (3) describe what the insurer is doing to protect from future unauthorized access, (4) give a telephone number for the consumer to call for information and assistance, and (5) advise the consumer to review account statements and monitor credit reports. The insurer must mail the notice, unless the cost of doing so exceeds $50,000 or over 100,000 consumers are affected, in which case electronic notice is acceptable.
Additionally, if notice is provided to more than 1,000 consumers, the insurer must provide a copy of the notice to national credit reporting agencies.
Many insurers will choose to outsource the creation and implementation of the ISP to a third-party vendor. On July 1, 2022, additional requirements will be phased in for insurers choosing this option. Insurers will be required to exercise “due diligence” in selecting the vendor, and the insurer retains the responsibility to oversee the vendor to ensure that it implements administrative, technical and physical measures to keep protected information secure.
On January 1, 2023, each insurer domiciled in Virginia will be required to certify its compliance with the Act to the Insurance Commissioner. All ISPs, investigation reports, and related documents must be retained for five years.
The Insurance Commissioner has the power to examine and investigate the insurer to ensure compliance with the Act, and to take any action necessary to enforce its provisions. Forthcoming rules and regulations will likely add further duties and requirements.
Similarly to investigations involving insurance fraud, the information and documents uncovered by the Insurance Commissioner during an investigation into an insurer’s response to a compromise of protected information are protected from civil discovery and subpoenas. However, the Commissioner may use such documents and information in the furtherance of any regulatory or legal action, and share and receive documents from regulatory and law-enforcement authorities.
The Act does not apply to:
With cyber-attacks, ransomware, and other nefarious technological threats menacing insurers and their customers, responsible cybersecurity practices are now not only good business sense; they’re the law. If you have questions regarding the Act and how to ensure compliance, please contact Tom Moran at (804) 362-9434 or tmoran@wcslaw.com.