Kentucky has become 21st State passage of data privacy legislation will require insurers and larger agencies to step up measures designed to help prevent cyberattacks and data breaches.
Governor Andy Beshear in April signed House Bill 474, which is based on the National Insurance Association’s sample data privacy law. Persons and entities licensed under Kentucky insurance law with more than 50 employees, valid through January 1, 2024, according to the law and recent news reports.
Steps that licensees must take include developing a written cybersecurity program; investigate and report cyber events within three days to the state insurance commissioner; carry out a risk assessment; and appoint a person in the company responsible for information security.
The NAIC says the model law has been in effect for some time.
“In recent years, there have been a number of major data breaches involving major insurance companies that exposed and compromised the sensitive personal information of millions of insurance consumers,” the NAIC read. a legislative summary. “As a result, state insurance regulators have made a re-evaluation of cybersecurity and consumer data protection regulations a top priority, and in early 2016 the NAIC began drafting Drafting the Insurance Data Privacy Model Law.”
Among other steps, Kentucky’s law requires insurance companies to “identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, or disclosure.” , misuse, alter or destroy non-public information, including the security of information systems, and non-public information accessible to, or held by, third-party service providers. keep,” the law wrote.
Companies must also control information to restrict access to authorized people only, among other measures.
The NAIC Model Law would have only exempted companies with fewer than 10 employees, but Kentucky lawmakers raised that number to 50 workers. Nor shall this law apply to purchasing or custodial groups operated and licensed outside of Kentucky, nor to companies acting as hypothetical insurers and having headquarters in the United States. other states.
Other states that have passed similar legislation include: Alabama, North Dakota, Minnesota, Iowa, Wisconsin, Michigan, Indiana, Ohio, Tennessee, Virginia, Maryland, Washington DC, South Carolina, Louisiana, Mississippi, Delaware, Connecticut, New Hampshire, Maine and Hawaii. Promissory notes are pending in Illinois, Vermont, Rhode Island, and Washington. The NAIC explains that New York has its own data privacy requirements.
Kentucky Network Service Provider
Get automatic alerts for this topic.