Understanding New Hampshire Data Breach Law and Compliance

New Hampshire Data Breach Law

Chris Sununu, Governor of New Hampshire, signed the New Hampshire Insurance Data Law (SB 194) on August 2, 2019. The new law “establishes the exclusive state standards applicable to licensees for data security, the investigation of a cyber security event…, and notification to the commissioner.” The law applies to all persons or entities licensed, registered or required to be licensed, authorized to operate, authorized or registered, pursuant to the insurance laws of the State of New Hampshire and becomes effective January 1, 2020.

Cyber Security Breach

What is New Hampshire Insurance Data Law (SB 194)?

Under the new law, insurance companies are required to implement an Information Security Program (ISP) containing technical, physical, and administrative safeguards to protect non-public information including a security risk assessment. The ISP is required to include:

  • A program that manages any threats identified in the risk assessment including encryption and multi-factor authentication
  • Cyber security awareness training
  • Due diligence when hiring third parties as well as requiring those third parties to implement specific security measures
  • An incident response plan to implement in the case of outlined security breaches

The Commissioner may take any “necessary or appropriate” action to enforce the new law. Violations of the provisions can result in suspension or revocation of a licensee’s certificate of authority, license, or an administrative fine of up to $2,500 per violation.

Who is Exempt from the New Hampshire Insurance Data Law?

  • Covered entities that have fewer than 20 employees
  • An employee who is also a licensee
  • A continuing care retirement community
  • A life settlement provider
  • A licensee that is a bank or credit union covered by Gramm-Leach-Bliley or the Fair Credit Reporting Act
  • A motor vehicle retail seller or finance company
  • A vendor, as defined under RSA 402-K:1

The new law also includes a safe harbor for HIPAA-covered entities and companies covered by the New York Department of Financial Services Cyber Security Regulations.

How Does a Company Comply with New Hampshire’s Insurance Data Law?

All New Hampshire licensees have until December 31, 2021 to implement an Information Security Program and until December 31, 2022 to install and implement a vendor management program, including to “exercise due diligence in selecting its third-party service provider” and requiring that their third-party vendors also implement appropriate safeguards to protecting and securing the information systems and nonpublic information accessible to, or held by, the third-party service providers.

It is recommended that licensees initiate implementation ASAP, because it takes time to install a program that maps all the vendors accessing your data. You are required to obtain written confirmation or have contractual provisions in place in order to comply. It’s better to start the process early and complete it ahead of time, than find out you aren’t ready when the deadline kicks in.

What are the Key Provisions of New Hampshire’s Insurance Data Law?

Key provisions of SB 194 include an:

  • Information Security Program – The Bill requires licensees to develop, implement, and maintain, based on risk assessments, information security programs that contain administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system. Nonpublic information is defined as information that is not publicly available information and is “any information concerning a consumer [,] which . . . can be used to identify such consumer, in combination with” a driver’s license, non-driver I.D. card number, Social Security number, credit or debit card number, financial account, or biometric information, or a security or access code or password that would permit access to a financial account.
  • Incident Response Plan — As part of the information security program, licensees are required to establish a written incident response plan aimed at promptly responding to and recovering from cybersecurity events that compromise the confidentiality, integrity or availability of nonpublic information it possesses, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s business or operations.
  • Breach Notification — Licensees must notify the state insurance commissioner of a cybersecurity event within three business days. This notification must include:
    • Date of the cybersecurity event
    • Description of how the information was compromised and breach was discovered
    • Description of types of information compromised
    • Number of affected residents
    • Copy of the licensee’s privacy policy, statement outlining steps licensee will take to investigate and notify consumers affected by a breach
    • Name of a contact person
    • Copy of notice sent to consumers.
  • Recordkeeping — Licensees must maintain records concerning all cybersecurity events for at least five years from the date of the cybersecurity event.