Data Security Requirements for Insurance – A Short Guide

Share This TechTip

Photo by John Petalcurin

What requirements does my agency have to worry about?

This is a question I’d get constantly over the years helping agencies with cybersecurity and compliance. It’s an important one to ask because this sets the bar for what you should be doing.

There’s never an easy answer because every single agency is going to have a different list of requirements to meet based on several variables:

  • Where they operate or are licensed
  • Where their clients reside (not always the same as where they are licensed)
  • Their staff size
  • Their revenue or assets value
  • Their company appointments
  • Their lines of business (particularly when benefits are involved)

Let’s break this all down for you today in this short guide!

There’s a lot here but bear with me because at the end of this I’ll share resources to help you continue down this path.

I’ve worked with hundreds of businesses over the years to help them do all of this, and while it can seem like a lot of work, there are ways to get you where you need to be. Sometimes it just helps to lean on someone who’s been through it before.

The good news is, after your first pass at all of this, it gets much easier!

One of the biggest challenges is that many requirements are reactively enforced.

By this I mean that it’s very uncommon for anyone to reach out to you proactively to say what to do. It’s often up to you to seek out and understand what you are supposed to do.

If something goes wrong, that’s often when an audit or investigation may be conducted to see if you did what you were supposed to do.

This is what can make it so difficult for the independent agency to be confident they’re doing the right thing.

Don’t worry though! I’ll set you on the right path here so you can feel more confident in what you’re doing, no matter your specific requirements.

Where do requirements come from?

There are a few places you need to start looking for your requirements. I’ll share a few specific requirements at the end of this article that I commonly run into with agencies I help but here’s where you may find sources of requirements:

Federal Regulations
Various departments like Health & Human Services, FTC, SEC, and others have security rules or other requirements that could impact your practices with data.

State Regulations
Departments may vary but often data security gets mentioned with consumer protection, financial services, and departments of insurance.

Industry Specific Requirements
Usually, an expectation of practices related to a particular industry (like a software provider and SOC2).

Peer-to-Peer
More and more, businesses are holding each other accountable where risks are shared.

Global
If you are an international business, other countries may have unique laws.

Cyber Liability Insurance
Cyber liability is a core driver of many requirements today.

What types of requirements are out there?

From a data security or cybersecurity perspective, there are four main types of requirements you may find.

Sometimes these are combined together but, depending on the regulation or the status of adoption of these requirements, these may be broken apart or maybe only a subset of these might exist today.

Here are the ‘flavors’ these can come in:

Data Security
These are requirements about what to do proactively to protect ‘non-public information’ or NPI. Sometimes this can be as broad as saying “take reasonable measures to protect NPI” but more and more they have specific actions you may need to implement.

TIP: Always follow a cybersecurity framework so there is no question about who’s idea of “reasonable measures” are being followed.

Breach Notification
This has to do with how you investigate and report suspicious activity and what may determine an actual cyber event, incident, or breach.

This may include specific timelines, steps, and various actions depending on the extent of the incident.

Depending on the requirement, it may mean various third parties need to be notified beyond just the individuals impacted. This could go as far as notifying the Attorney General of various states, credit bureaus, and others – depending on the specific regulation.

TIP: These exist in all 50 states and have to do with where your clients RESIDE, not just where you may be operating or licensed. This means you need to look at your client data to see what states are in play.

Data Disposal
Some regulations introduce ideas about what data or information should be kept and for how long. This can help minimize your exposure to ensure you don’t have a larger impact than necessary.

In addition to what to keep and for how long, these requirements also talk about how to properly dispose of information or even electronic devices.

TIP: Just like you’d shred paper documents, there are specific actions to take to dispose of electronic data or devices properly. You can’t just delete files from a computer and throw it out, I’ve seen forensic analysts recover data from devices that were thought to be wiped. There are expert “e-cycling” services specifically for this need that can certify your devices are disposed of properly.

Data Privacy
These requirements may involve steps around notifying consumers about the use and storage of their data, and their rights around this.

Newer requirements are starting to appear that have to do with the “Right to be Forgotten”, which may give consumers the ability to request their data be deleted.

While these laws start to get outside of the world of data security, and more with fair use and management of that data, it’s worth noting.

These types of regulations may require you to justify your reasoning around why you might retain data related to other requirements you have for your record keeping practices.

TIP: This is a new and changing landscape that started with the European Union’s General Data Protection Regulation (GDPR), and first popped up in the US with California’s Consumer Data Protection Act. Keep an eye on what’s happening here as more states are adopting similar laws.

What requirements do Independent Insurance Agencies need to watch for?

Now that you have a lay of the land for the sources and types of laws, there are a few specific items that insurance agencies really need to be aware of and prepared to follow.

Cyber Liability
You’ve probably noticed your cyber applications tightening up the bare minimum acceptable security practices.

Today, if you don’t have some of the core best practices in place, you’re probably not getting insured.

Insurance Data Security Laws
Download my FREE list of Insurance Data Security Laws to get links and key requirements here.

These are now in 25 states as of this writing:

  • Current States: AL, CT, DE, HI, IA, IL, IN, KY, LA, MD, ME, MI, MN, MS, ND, NH, NY, OH, OK, PA, SC, TN, VA, VT, and WI
  • Pending States: AK, NE, and NJ

New York’s Cyber Rule (NY DFS 23 NYCRR Part 500) was the beginning of this and applies to all financial institutions. After that passed, the NAIC created a model data security law based of off what was passed in NY and pushed it to all 50 states. It’s slowly passing across the country with some variations from state to state.

These have annual requirements to proactively certify with the state commissioner that you’ve done what is required or to file as exempt.

While the requirements are pretty straightforward, many agencies have challenges in the amount of work needed to both document and implement these practices.

Usually, following a cybersecurity framework is going guide you to satisfy the strictest requirements you fall under.

Company Requirements and Data Security Addendums
Since your companies most likely fall under the above-mentioned NY Cyber Rule, many agencies are feeling the effects of its 3rd Party Security Requirements.

This is causing your companies to push out expectations for appointed agencies that have shared access to insured data and other resources. Some may go as far as saying that they want all of their agencies to meet the full extent of NY’s requirements or other standards, despite your individual requirements under these laws.

While you may have some recourse here and a discussion may be necessary if you’re being asked to do more than you’d normally do under your own requirements, it’s more of a business-to-business issue and has to do with their risk appetite.

Breach Notification Laws
Also available in my downloadable resource, there are laws to follow in all 50 states with regard to how you handle a breach and who you notify.

Like the data security laws, creating an incident response plan that addresses your strictest requirements is going to be the best way to ensure you operate under the appropriate timelines and take the correct actions to detect, contain, and investigate events.

Take note that these requirements may involve reporting to different entities that something happened.

Data Disposal Laws
While you will find these woven into different requirements mentioned here, there are several states that have these broken out into their own laws.

These are listed in my downloadable resource but make sure you look for any particular requirements around how long you can keep various forms of data and how to dispose of it properly.

Data Privacy Laws
These new laws are taking hold in several states:

As of this writing, I’m aware of the following states that have some form of a Data Privacy Law: CA, CO, CT, DE, IN, FL, MD, MT, TN, TX, UT, and VA

Take careful note of these and watch for them to adapt as consumer rights are evolving. You may need to do more than just notify people of how their data is used.

HIPAA (Health Information Protection and Portability Act of 1996)
One of the first data protection laws out there, HIPAA is well established and has to do with protecting “Protected Health Information” or PHI. It also includes its own cybersecurity safeguard rule.

Agencies may be surprised to find that some of their appointment contracts could include language that identifies them as a Business Associate (BA), usually in a Business Associate Agreement or BAA. This is a lower level that still has requirements under HIPAA.

HIPAA goes beyond just encrypting emails. Even BA’s have 5 self-audits to do annually. Some of it may mean identifying your own BA’s (people that could potentially have access to PHI or systems that have PHI in them, like your IT company – who then would also need to certify they are HIPAA compliant).

Many people I speak with fall short of their HIPAA requirements and are often surprised at what they are missing.

Visit the US Health and Human Services’ page on HIPAA for more information.

Gramm-Leach-Bliley Act (GLBA) from the FTC
This applies to all Insurance offices.

Traditionally more of a Data Privacy Law, GLBA has recently added the FTC Safeguard Rule in the past year to create a standard of best practices around information security.

Luckily, you will most likely satisfy this requirement as you address the others in this list.

Visit the US Federal Trade Commission’s page on GLBA for more information.

SEC Cyber Rule
If you offer bonds or other financial products, you may need to look into the SEC’s security rules.

These are going to be pretty straightforward practices as well, but are important to review.

The original press release from the US Securities and Exchange Commission on July 26, 2023 can be found here.

Keep an eye on the SEC page for more information in case there are any changes after 2023.

So, what do you do from here?

I know there’s a lot here to focus on, but many of these requirements will overlap, giving you the ability to take one comprehensive approach that addresses all of these at once.

First, you need to start to get all of your requirements in front of you to set the bar for what all needs to be satisfied.

Take particular note for anything that requires proactive notifications, like the Insurance Data Security Laws, since you may have deadlines you have to meet.

Here are the steps I recommend taking from here:

1. Identify Your Requirements

Federal Requirements:

  • All agencies should look at GLBA and the FTC Safeguard Rule.
  • Determine if you fall under HIPAA due to any possibility that you could see, store or manage Protected Health Information (PHI)? (Don’t for get to check your company contracts for Business Associate Agreements that would require you to meet HIPAA!)
  • If you offer other financial products, check to see if you fall under the SEC cyber rule.

State Requirements:

Start with states you operate in:

  • Look for an Insurance Data Security Law (grab my free list).
  • Look for a general Data Security Law when there’s no insurance-specific law.
  • Look for any general Data Disposal Laws.

Identify states where your customers RESIDE (you may need to run a report on prospects you have data on, as well as current and past clients):

  • Look up the general Breach Notification Laws (especially for those that don’t have an Insurance Data Security Law that applies to you).
  • Look up any Data Privacy Laws covering your insureds where they reside.

Company Requirements:

  • Have you received any data security addendums that have gone unaddressed?
  • Do any of your appointment contracts identify you as a Business Associate that has to comply with HIPAA?

3rd Party Requirements:

  • Beyond companies, look at any other relationships with partners that share data or integrated technology to see if they have requested specific practices are met.

This may include your insureds as more and more consumers and businesses are protecting their interests by looking at their business partners as a potential security risk.

Cyber Liability Insurance Requirements:

  • Double check your current cyber liability insurance but also be proactive ahead of your renewal to identify possible changes in what you will need to satisfy ever-changing underwriting requirements.

Check for Exemptions:

  • Within what you find, take note of where you may fall under exemptions or exclusions.
  • Be cautious to identify any requirements that are still necessary when you are exempt. It may not mean you have a FULL exemption.

Legal Oversight:

  • Review this list with your legal counsel to get their input on anything missing or that may not apply.
2. Identify Your “High Water Mark”

Start to look at the strictest of your requirements to create a “High Water Mark” of what to satisfy at minimum as you implement a cybersecurity program.

3. Choose a Cybersecurity Framework

I recommend looking at the Center for Internet Security (CIS) Critical Security Controls. CIS breaks everything into 18 security controls and provide three “implementation groups” to follow based on your program’s maturity level.

The recommendations found within the framework will help you not miss anything, the trick here will be to make sure what you choose to do meets the high water mark.

For example, CIS suggests you use 8-characters as a minimum password length, but maybe one of your strictest requirements says at least 14-characters are required. So, you decide to go beyond the minimum in the framework.

4. Eat the Elephant One Bite at a Time

The only way to do this effectively is one step at a time. Many businesses fail when they get overwhelmed or assume they can just get it all done quickly (this all takes time).

As you identify policies and procedures that describe ‘what you’ll do’ and ‘how you’ll do it’, you will want to keep track of the unfinished work.

The best way to accomplish this is to create and manage a Plan of Actions & Milestones (POA&M) that helps you keep track of everything and prioritize the work ahead.

Find ways to keep steady momentum and progress.

And, keep in mind the first year doing all of this is often the hardest!

This is where the work begins, and where I can help you!

In my “Secure My Agency” program (SecureMyAgency.com), we not only support agencies as they implement cybersecurity and compliance practices, we also provide a ton of resources, courses, and other ways to get help as you go this route.

Plus, we made it super affordable so even small offices can get the help they need!

Join now to start digging into content that will help you get started!

On July 9th, we begin our weekly workshop to keep you on track with meeting your requirements by the end of the year.

Learn more here

Schedule
In each weekly workshop, we’ll tackle a part of the Center for Internet Security (CIS) Framework and look at recommended policies and procedures.

You’ll walk away with a template policy and procedure that we customize in the live workshop, as well as additional resources, and we’ll identify to-do items to track in your POA&M (we’ll be sharing ours with you).

Plus, throughout each week there are plenty of ways to get help from us as you continue.

Our first session will be related to building your Asset/Risk Inventory, and you can get started early by downloading my FREE Risk Inventory Tracker to start collecting what is necessary around the Software, Hardware, and other types of inventories you are suggested to maintain.

In the meantime, reach out if you have questions!

Did you miss the Catalyit Live Session on this topic? Watch it now.

More TechTips To Explore

Cybersecurity

Pitfalls to Avoid in Your Cyber Journey

Many businesses are sitting down right now to finalize budgets and lay out their plans and goals for the new year. For those focused on creating a more formal cybersecurity approach to address cyber risk, Ryan Smith shares a few tips to help you through the process.

Read More »

Unleash Your Agency's Potential

Check out our Platinum & Premium Solution Providers.

Forgot Password?

Forgot Password?

Sign up for your free 30-day free trial!

 

Let's do this

Together

We’re thrilled to invite you into Catalyit. Fill out the form to get your free, limited access – your community awaits!

Already a Basic or Full Access Subscriber?

ALERT!

Vault videos are only visible to Full Access subscribers!

Sign in or upgrade now to unlock all Catalyit content and watch this webinar on-demand.

ALERT!

This content is only visible to Catalyit Full Access subscribers!

Sign in or upgrade now to unlock all Catalyit content.

ALERT!

This content is only visible to Catalyit subscribers!

Sign in, get started free, or upgrade now to unlock all Catalyit content.

ALERT!

Vault videos are only visible to Full Access subscribers!

Upgrade now to unlock all Catalyit content and watch this webinar on-demand.

Let's do this

 

Let's do this

Fill out the form below to get free Basic Access to Catalyit and activate your Trava account.

 

ALERT!

Solution Provider Profiles are only visible to Full Access subscribers!

Upgrade now to unlock all Catalyit content and learn more about this Solution Provider.