Most states require companies to notify potentially affected customers following a security breach that may involve the loss of personally identifiable information, or PII. Several state insurance departments also require they be informed of data breaches at insurance companies they regulate. Marc Voses and Scott Paris of law firm Nelson Levine de Luca & Hamilton L.L.C. discuss the additional regulatory requirements faced by insurers following a data breach.

All but three states — Alabama, New Mexico and South Dakota — require companies, including insurers, to notify potentially affected individuals following a security breach that may involve the loss of personally identifiable information or personal health information. The determination of whether a particular state's data breach notification law has been triggered requires experienced counsel to reach the appropriate conclusion.

The downside to failing to properly comply with applicable notification laws manifests in the form of penalties, fines, unnecessarily increased data breach response and notification costs, and the exposure of the company to even greater public scrutiny because the notification was not handled properly the first time around.

Over the past several years, various states have either amended existing data breach laws or enacted new ones focused on insurance companies and other “information brokers.” In some instances, the purpose of these laws is to ensure that existing data breach laws encompass insurance companies. In others, the goal is to make certain that the insurance commissioner is provided with notification of a breach where an insurance company is involved. The common end result is the creation of an obligation that cannot be overlooked during an insurance company's response to a data breach.

Invariably, the handful of states — Connecticut, Maine, New Hampshire, Ohio, Rhode Island, Vermont, Washington and Wisconsin — that have data breach notification requirements specifically encompassing insurance companies take the position that these rules are necessary to better serve insurance consumers. The Department of Insurance of the state of Ohio explained this position in bulletin 2009-12 issued in November 2009. The bulletin states that insurers are recipients and custodians of PII and PHI, and there is an expectation that the insurer “will take all prudent and reasonable steps necessary to protect that information.”

While customers may be affected by a data breach at an insurance company, the insurer will certainly be impacted. This fact has not been lost on those states with insurance company-specific notification rules. The Ohio Insurance Department noted in its 2009 bulletin that “this information is a valuable asset of the insurance company, and any loss of such information is a serious matter that could involve considerable cost to the company. Therefore, there is an expectation that an insurance company which has suffered a theft or loss of monetary assets advise the Insurance Department. That expectation also applies to the theft or loss of policyholder's [PII and PHI].”

Depending on the circumstances, these laws can include additional regulatory reporting requirements for insurers and often include aggressive reporting deadlines. Each state's notification law is different, so insurers need to have diligent counsel that can identify when and where notification needs to be sent.

For example, the Insurance Department of the State of Connecticut explained in bulletin IC-25, issued on Aug. 18, 2010, that it considers a data breach to be “any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained (…) the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.”

With regard to timing, any data breach that affects a Connecticut resident needs to be reported in writing to the Connecticut insurance commissioner no later than five days after the incident is identified. The Connecticut Insurance Department has also set forth a list of at least 15 topics that should be included in the letter to the commissioner.

While one would expect that basic information concerning the data breach would need to be disclosed in the letter, there are some interesting topics that one might not suspect. For example, insurers must provide the results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed, and copies of the insurance company's privacy and data breach policies.

The Connecticut Insurance Department also wants to review drafts of any communications to be sent by the insurer to those affected by the data breach advising them of the incident. However, the regulation does not provide for a timeframe in which the Connecticut Insurance Department will provide comments, if any, to the draft notification letter.

In the event of a data breach at or by a vendor or business associate of an insurance company that has the potential of affecting a Connecticut insured, the Connecticut Insurance Department requires the insurance company to notify them.

Lastly, the Connecticut Insurance Department states that each data breach is evaluated on its own merits, with some situations warranting the imposition of administrative penalties.

Maine, unlike the Connecticut Insurance Department, does not have a specific timeframe requirement for the reporting of a data breach. Instead, Maine requires data breaches to be reported following a “reasonable and prompt investigation.” Maine's rules for determining when the loss of information triggers notification requirements also differ from those in many other states.

Maine defines a “security breach” as the “unauthorized acquisition, release or use of an individual's computerized data that includes personal information that compromises the security, confidentiality or integrity of personal information of the individual maintained by a person.” Personal information is defined as “not encrypted or redacted” data containing an individual's first name, or first initial, and last name along with information, including such information as a Social Security number, driver's license number, state identification card number, account number, credit card number, debit card number, account passwords or personal identification numbers.

In contrast, the Connecticut Insurance Department does not limit the definition of a data breach to only the loss of unencrypted materials or information falling into specific categories. Instead, as stated, the notification requirement is triggered when information is lost that could “compromise or put at risk the personal, financial, or physical well-being of the affected insureds, members, subscribers, policyholders or providers.”

Maine's data breach notification law states that “information brokers” must inform their regulator of the loss of unencrypted or redacted data. Whether an insurer needs to inform the superintendent of insurance is less clear.

In Bulletin 345, issued by the Maine Bureau of Insurance on Nov. 8, 2006, after the enactment of Maine's data breach notification law, the Maine superintendent of insurance directs the state's insurers to a frequently asked questions website on handling data breaches. The FAQ website states that all persons and companies regulated by the Department of Professional and Financial Regulation — which includes insurers — must inform their regulatory agency of a data breach, and this “notice must include the date of the breach, an estimate of the number of persons affected by the breach, if known, and the actual or anticipated date that (affected) persons were or will be notified.”

Interestingly, under Maine's data breach law information, brokers are required to provide more information than appears required of insurers under the language on the FAQ section of the department's website. “Information brokers” must provide not only the information listed above, but also a copy of the notice and information being sent to affected persons and a description of the curative steps being taken to prevent future data breaches.

In its 2009 bulletin, the Ohio Insurance Department explained that insurers must report the loss of control of policyholder information within 15 calendar days of discovering a data breach. However, in general, Ohio requires that notification be given to individuals affected by a data breach no later than 45 days following the discovery of the breach. Therefore, an insurer discovering a data breach must inform its regulator within a shorter timeframe than when it must notify affected individuals.

Further, unlike the Connecticut Insurance Department’s bulletin or Maine’s data breach law, the Ohio Insurance Department does not specifically address whether data encryption impacts the triggering of the notification requirement.

The Ohio bulletin also extends insurers’ responsibility to safeguarding not only their information, but also the information maintained by their appointed agents. The bulletin specifically states that insurers are responsible for educating their agents about data breach reporting and reporting the loss of information by appointed insurance agents.

Conclusion

The rules and requirements for responding to a data breach are continuously evolving. They also differ in each state. The consequence for not properly following each state’s rules can also be significant. Companies faced with a potential data breach should be mindful that they may face strict deadlines for notifying affected individuals and/or regulators. Companies should consider consulting counsel to ensure they comply with all appropriate rules.

Marc Voses is a partner in the New York office of Nelson Levine de Luca & Hamilton L.L.C. He can be reached at mvoses@ndlhlaw.com.

Scott Paris is an associate in the New York office of Nelson Levine de Luca & Hamilton L.L.C. He can be reached at sparis@nldhlaw.com.