Written Data Security Programs Under the Pennsylvania Insurance Data Security Act (US)

Pennsylvania joined the ever-expanding number of US states enacting a variation of the National Association of Insurance Commissioners (NAIC) model law, the Insurance Data Security Act (the Act). See 40 Pa. C.S.A. § 4501 et seq. Defined as “Licensees,” the Act generally applies to all persons and entities that are licensed, authorized to operate, or otherwise are registered under Pennsylvania insurance laws, including insurers, producers (agents and brokers), third-party administrators, and rating organizations. 

Written Information Security Programs

Among many of its requirements, the Act, whose language originally derives from the Cybersecurity Regulation promulgated by the New York Department of Financial Services, 23 NYCRR Part 500, requires Licensee is required to design and implement a written information security program containing administrative, technical and physical safeguards for the protection of nonpublic information and the licensee’s information systems. Licensees must regularly evaluate and adjust their information security program, including conducting annual risk assessments. They must also have and maintain a cybersecurity incident response plan. 

Core safeguards

The written and comprehensive information security program that is commiserate with the licensees “size and complexity,” the “nature and scope of the licensee’s activities,” including its use of third-party service providers, and the “sensitivity of the nonpublic information” at issue. The program should contain: 

1. the implementation of access controls on information systems, including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of nonpublic information;
2. (ii) inventory, track, and manage data, personnel, devices, systems and facilities that enable the licensee to achieve its business purposes in accordance with their relative importance to business objectives and the licensee’s risk strategy;
3. restrict physical access to nonpublic information only to authorized individuals; and
4. encryption  for data in transit and at rest. 

In addition, the  information security program should utilize “effective controls, which may include multifactor authentication procedures,” for employees accessing nonpublic information. Organizations must “regularly test” the program – i.e., annual risk assessments – and include audit trails designed to detect and respond to cybersecurity events. 

Oversight of third-party service providers

Critically, Licensees also must conduct adequate due diligence into the data security programs of third parties who process the organization’s nonpublic information, including vendors and even law firms. As part of this “due diligence,” Licensees must “require” third-party service providers to “implement appropriate administrative, technical and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.” This means that service providers that conduct business with Licensees – including law firms – should expect due diligence assessments of tier own cybersecurity measures. The degree of the assessment should reflect the sensitivity of the data to be handled and the degree to which it is handled. Many assessments are remote.

Governance obligations

To incentivize compliance, the Act imposes affirmative and ongoing corporate governance obligations upon senior management and/or a board of directors. A Licensee must ensure senior management and/or board of directors are actively engaged in the cybersecurity program and receive annual reports on its status.  Annual reports to senior management or the board of directors, if the Licensee has one, are required. These report must address the overall status of the Licensee’s information security program and the Licensee's compliance with the Act’s cybersecurity requirements, and “material” matters related to its information security program. Such matters include the results of the Licensee’s risk assessment, its third-party service provider arrangements, any cybersecurity events, and/or any recommendations for modifications or changes to the information security program.

Senior management cannot fully delegate responsibility for its oversight. The Act expressly states that if management “delegates any of its responsibilities under this section or section 4512 (relating to risk assessment), 4513 (relating to information security program) or 4515 (relating to oversight of third-party service provider arrangements),” then  the management “shall oversee the development, implementation and maintenance of the licensee’s information security program prepared by the delegated entity, which shall provide a written report to the executive management[.]”

Enforcement and penalties

The Act provides for injunctive penalties and civil penalties. For the former, upon the determination of a violation of the Act after notice and a hearing, the insurance commissioner is empowered to suspend or revoke a Licensee’s license, authorization to operate, or registration. The commissioner may also refusal to issue or renew a license, authorization to operate or registration, and issue a cease-and-desist order. For monetary fines, penalties of $1,000, per violation, not to exceed an aggregate penalty of $20,000 in a single calendar year, may be issued for unknowing violations. For violations that the Licensee “knew or reasonably should have known was a violation,” the commissioner may assess fines of $5,000 per violation, not to exceed an aggregate penalty of $100,000 in a single calendar year. The Act does not permit a private cause of action.