• Skip to main content

DistilNFO HITRUST

DISTILNFO HITRUST ADVISORY

  • Publications
    • DistilNFO HealthPlan
    • DistilNFO HospitalIT
    • DistilNFO IT
    • DistilNFO Retail
    • DistilNFO POPHealth
    • DistilNFO HITRUST
    • DistilNFO Ageing
    • DistilNFO Safety
    • DistilNFO Life Sciences
    • DistilNFO GovHealth
    • Subscribe
    • Submit Article
    • Advertise

Another Data Security Law Effective Jan 1, 2020: Prepared?

Share:

August 12, 2019

New Hampshire Governor Chris Sununu recently signed the New Hampshire Insurance Data Security Law, which “establishes the exclusive state standards applicable to licensees for data security, the investigation of a cybersecurity event…, and notification to the commissioner.” The law is applicable to all persons or entities licensed, authorized to operate, registered or required to be licensed, authorized or registered, pursuant to the insurance laws of the State of New Hampshire. It becomes effective on January 1, 2020.

The law requires insurance companies to implement an Information Security Program (ISP) that contains administrative, technical and physical safeguards to protect non-public information and includes a security risk assessment. The ISP must include:

  • a program to manage the threats identified in the risk assessment, including encryption and multi-factor authentication;
  • cybersecurity awareness training;
  • due diligence in hiring third parties and requiring those third parties to implement security measures; and
  • an incident response plan.

Licensees are required to investigate cybersecurity events, and notify the Commissioner within three days “of a determination that a cybersecurity event has occurred,” defined to mean, actual knowledge that the event occurred. Insurance companies are required to provide the Commissioner with a copy of any notification letter that is sent to any consumers under the New Hampshire data breach notification law.

The Commissioner has the right to investigate any cybersecurity event of a licensee to determine if it has been in violation of the law, and “may take action that is necessary or appropriate to enforce the provisions of the law.”

Want to publish your own articles on DistilNFO Publications?

Send us an email, we will get in touch with you.

Licensees exempted from the law include:

  • covered entities that have fewer than 20 employees
  • an employee who is also a licensee
  • a continuing care retirement community
  • a life settlement provider
  • a licensee that is a bank or credit union covered by Gramm-Leach-Bliley or the Fair Credit Reporting Act
  • a motor vehicle retail seller or finance company
  • a vendor, as defined under RSA 402-K:1.

There is also a safe harbor for HIPAA-covered entities and companies covered by the New York Department of Financial Services Cybersecurity Regulations.

Licensees have until December 31, 2021, to implement an Information Security Program and until December 31, 2022 to implement a vendor management program, including to “exercise due diligence in selecting its third-party service provider” and requiring the third party to implement a data security program.

Based upon our experience with similar requirements in the Massachusetts data security regulations, it takes more time than you think to map all of the vendors that have access to data and to get written confirmation or contractual provisions in place to comply with this requirement, so you may wish to consider starting the process now.

Date: August 12, 2019

Source: Data Privacy + Security Insider

Liked this story?

Get top 10 stories like these delivered to your inbox weekly. [Sample Newsletter]

Related Stories

  • 23 NYCRR 500, NY Cybersecurity Mandate for Financial Services Firms23 NYCRR 500, NY Cybersecurity Mandate for Financial Services Firms
  • South Carolina’s Insurance Data Security Act Requires Comprehensive Security Program, Effective Jan 1, 2019South Carolina’s Insurance Data Security Act Requires Comprehensive Security Program, Effective Jan 1, 2019
  • Cybersecurity Requirements for Insurance FirmsCybersecurity Requirements for Insurance Firms
  • Beyond CCPA: Oregon’s New IoT Cyber LawBeyond CCPA: Oregon’s New IoT Cyber Law
  • Third Party SecurityThird Party Security
  • Health Insurer Must Spend $42 Million in Security EnhancementsHealth Insurer Must Spend $42 Million in Security Enhancements
  • Ransomware Attack Impacts 522,000 PatientsRansomware Attack Impacts 522,000 Patients
  • Equifax Breach |Multi-Billion Dollar Impact | Fast FactsEquifax Breach |Multi-Billion Dollar Impact | Fast Facts

Trending This Week

Sorry. No data so far.

About Us

DistilNFO is media company that publishes Industry news, views and Interviews. We distil the information for you – saving time and keeping you up to date on your interest areas.

More About Us

Useful Links

  • Subscribe
  • Contact
  • Advertise
  • Privacy Policy
  • Terms of Service
  • Feedback

Follow Us

© DistilNFO Publications