Last year, the Federal Trade Commission received 7,642 fraud complaints from NH consumers, representing losses of $3.5 million. The agency also collected 1,565 reports of identity theft from state residents, placing NH 14th nationally, based on population.
A state law that goes into effect on Jan. 1 aims to tighten data security standards in one sector of the economy—insurance. The new Insurance Data Security Law applies to NH’s 1,153 licensed insurance companies (including property and casualty, accident and health, fraternal and title companies), and 8,034 in-state and 166,318 out-of-state licensed insurance agents and brokers (unless specifically exempted in the legislation).
The measure follows growing national concern over cybersecurity lapses, including the 2017 Equifax breach that exposed the personal information of more than 148 million Americans.
It also comes on the heels of the National Association of Insurance Commissioners (NAIC) passage of an Insurance Data Security Model Law, as well as action by legislatures in states from New York to Delaware to enact similar measures.
“Cyberattacks are one of the greatest threats to our personal and financial information,” says NH Insurance Commissioner John Elias. “It is critical that New Hampshire established these safeguards to protect consumers. Insurers and producers have more sensitive consumer data than nearly any other type of business entity. Not only do they collect social security numbers and credit card or bank account information, but also personal information like health-care data. Protecting consumer data is a high priority for the department in the wake of several major insurer data breaches.”
Provisions in the Law
The new law requires:
• Licensed insurance companies with 20 or more employees to perform a risk assessment and develop a data security program to protect nonpublic information and to file the program annually with the state
• A written incident response plan to promptly respond to and recover from data breaches.
• Notifying the state insurance commissioner of a cybersecurity breach within three business days if the event occurs when the insurance company is located in NH or if it affects at least 250 NH residents
• Maintaining records of all cybersecurity events for five years and providing an annual written statement certifying the insurer is in compliance with the law’s requirements
• Training company personnel in cybersecurity awareness.
The measure grants the state insurance commissioner the power to take “necessary and appropriate” action to enforce the law and to fine violators up to $2,500 per offense.
The law exempts companies with fewer than 20 employees, continuing care retirement communities and motor vehicle retailers, among others, and provides a safe harbor for HIPAA-covered entities and those that certify compliance with New York’s Cybersecurity Requirements for Financial Services Companies law.
Licensed insurance companies have one year from the effective date of the NH legislation to implement cybersecurity requirements and two years to make sure their third-party vendors also have done so.
A NH Approach
New Hampshire’s law was written at the behest of the state insurance commissioner, who participated in the NAIC committee that developed the model law on which the NH law is based.
While similar to the NAIC model law, NH did not adopt that measure wholesale. For example, the NAIC model exempts companies with fewer than 10 employees; in NH, it is 20 or fewer. Also, unlike the model law, NH’s version provides exceptions for continuing care retirement communities, life settlement providers (companies licensed to purchase life insurance policies), portable electronics insurance vendors, as well as certain banks and credit unions that provide safeguards for customer information under federal law.
Sen. Jon Morgan, D-Brentwood, one of four sponsors of the bipartisan bill, says legislators, working with Elias, went out of their way to ensure the law did not unduly burden NH businesses.
“The business community, rightfully so, wanted to make sure we were not adding layers of complexity or regulation that were not necessary and that they were already meeting through legislation, primarily at the federal level,” Morgan says.
“My intent from day one was to make sure consumers were protected from these types of incidents but we never wanted to do anything that would be detrimental for small businesses here in New Hampshire, because they’re the backbone of the economy… I think we found a really nice balance.”
Analysts say the measure is unlikely to dramatically increase costs for insurers or consumers. “I don’t think New Hampshire residents would see a discernible increase [in costs] based on this one law in New Hampshire, when it is a model law that has been implemented in other states,” says Marrielle Van Rossum, an attorney with Sulloway & Hollis, who has analyzed the new law.
As to how effective it will be, reviews are mixed. Christopher Nicolopoulos, president and CEO of the NH Association of Insurance Agents, says he is not certain if an industry-by-industry approach to a global problem like cybersecurity is the best one.
Nevertheless, “As an industry, we want to make sure we’re putting critical things in place to protect this consumer data,” he adds.
Morgan, meanwhile, says he believes “consumers and businesses alike should feel really optimistic that New Hampshire, through this bipartisan legislation, is taking a leading role in defining how we should be prepared for and addressing these incidents, because we know they’re going to happen.”
Van Rossum says the law is valuable even if it cant’ prevent all cyberattacks. “While I’m sure hackers are always going to find a way in, it’s what insurance companies and financial and health-care companies do after the breach that matters,” she says. “Being able to report the breach and notify who is at risk of identity theft is probably the most effective part of the law.”
Elias offers similar thoughts. “Our hope is that the requirements in this law will prevent bad actors from accessing confidential consumer information,” he says. “However, we know that if it does happen, the company will investigate and notify the department and consumers in a timely manner.”