Vermont Enacts Insurance Data Security Law

On Could 27, 2022, Vermont Governor Phil Scott signed H.515, making Vermont the twenty-first state to enact laws primarily based on the Nationwide Affiliation of Insurance coverage Commissioners Insurance coverage Knowledge Safety Mannequin Legislation (“MDL-668”). The Vermont Insurance coverage Knowledge Safety Legislation applies to “licensees”—these licensed, licensed to function or registered, and people required to be licensed, licensed or registered, underneath Vermont insurance coverage regulation, with few exceptions. The brand new regulation usually follows MDL-668’s provisions, adopting the mannequin regulation’s broad definition of nonpublic info and requiring licensees to, partly, keep a written info safety program (“WISP”) and examine cybersecurity incidents. In contrast to different state legal guidelines primarily based on MDL-668, nonetheless, the Vermont Insurance coverage Knowledge Safety Legislation declines to determine separate cybersecurity occasion notification necessities for licensees.

Data Safety Program Necessities

Beneath the brand new regulation, licensees should develop, implement and keep a complete WISP that incorporates administrative, technical and bodily safeguards for the safety of nonpublic info and the licensee’s info system. Licensees should conduct a threat evaluation to create a WISP “commensurate with the dimensions and complexity of the licensee, the character and scope of the licensee’s actions, together with its use of third-party service suppliers, and the sensitivity of the nonpublic info.” Amongst different necessities, licensees’ info safety applications will likely be required to:

• monitor rising threats or vulnerabilities and use cheap and acceptable safety measures when sharing nonpublic info;

• yearly assess the effectiveness of current info safeguards;

• designate an worker, affiliate or outdoors vendor that’s accountable for the knowledge safety program;

• present cybersecurity consciousness coaching to personnel and replace the coaching as essential;

• conduct due diligence when choosing third-party service suppliers, who have to be required to implement acceptable administrative, technical and bodily measures to guard licensees’ info methods and nonpublic info;

• develop and periodically reevaluate a retention schedule and destruction mechanism for nonpublic info; and

• set up a written incident response plan.

Licensees should yearly certify their compliance with these info safety program necessities in writing to the Vermont Deputy Commissioner of Insurance coverage (the “Commissioner”) by April 15 and keep information supporting the certification for 5 years. If a licensee has a board of administrators, it additionally should present the board with an annual written report on the WISP, compliance with the Vermont Insurance coverage Knowledge Safety Legislation and different materials issues associated to info safety.

Cybersecurity Occasion Investigation and Notification Necessities

Beneath the regulation, licensees should promptly examine precise and potential cybersecurity occasions and undertake cheap corrective measures. Licensees should keep information about these cybersecurity occasions for at the least 5 years. Nonetheless, not like MDL-668 and different state legal guidelines primarily based thereon, the regulation doesn’t impose notification obligations on licensees following a cybersecurity occasion. As an alternative, licensees are sure by the notification necessities of the Vermont Safety Breach Discover Act, 9 V.S.A. § 2435.

Sure Licensees Are Exempt from the Legislation’s Necessities

Licensees will likely be exempt from the regulation’s info safety program necessities in the event that they (1) have fewer than 20 workers, together with impartial contractors; (2) are topic to HIPAA, keep a HIPAA-compliant info safety program and submit an annual written certification to the Commissioner; (3) are an worker, agent or consultant of one other licensee that’s lined by the opposite licensee’s info safety program; or (4) can produce documentation, as requested by the Commissioner, that they’re topic to and in compliance with the interagency tips establishing requirements for safeguarding buyer info as set forth underneath the Gramm-Leach-Bliley Act.

Licensees are wholly exempt from the regulation if they’re compliant with the New York Division of Monetary Providers Cybersecurity Necessities for Monetary Providers Firms (23 NYCRR §§ 500.0 to 500.23) they usually submit a written assertion to the Commissioner certifying such compliance.

Enforcement and Penalties Beneath the Legislation

The regulation is to be enforced by the Commissioner and doesn’t include a personal proper of motion. The Commissioner can examine licensees to find out if they’ve violated the regulation, droop or revoke the licensee’s license, report violations to the Vermont Legal professional Normal for prosecution and difficulty administrative penalties of $1,000 per violation or $10,000 per willful violation.

The regulation will go into impact on January 1, 2023. Nonetheless, licensees can have till January 1, 2024 to adjust to the knowledge safety program necessities and till January 1, 2025 to implement the third-party diligence necessities.