Skip Ribbon Commands
Skip to main content
Aug 28
Do You Have To Report a Wholesaler's Cyber Event?

binary-2170633_640.png

A South Carolina based wholesale insurance brokerage reported last week that they had suffered an undescribed cybersecurity incident. It closed the wholesaler for a substantial part of the week.

Some Big I New York members have asked whether the New York financial services cybersecurity regulation obligates them to notify the state insurance regulators about this incident. We expect that some Big I Connecticut members also do business with that wholesaler and want to know what their obligations are under the state’s Insurance Data Security Law.

Based on the information we have received and what the wholesaler has said on its website, we do not believe Connecticut agencies have an obligation under the law to report this incident to the state Department of Insurance (DOI). The wholesaler might, but the retail agencies do not.

Subsection (e) of the law states:

(e) Notification of a Cybersecurity Event.

(1) Notification to the Commissioner. Each licensee shall notify the Insurance Commissioner that a cybersecurity event has occurred, as promptly as possible but in no event later than three business days after the date on which such licensee first determines that a cybersecurity event has occurred, if:

(A) Such licensee is an insurer and this state is the insurer's state of domicile, or the licensee is an insurance producer, as defined in section 38a-702a, and this state is the insurance producer's home state, as defined in section 38a-702a, and it is reasonably likely that the cybersecurity event will materially harm:

(I) A consumer residing in this state; or
(ii) A material part of such licensee's normal operations; or

(B) The licensee reasonably believes that the nonpublic information involved in the cybersecurity event is of two hundred fifty or more consumers residing in this state and:

(i) State or federal law requires that a notice concerning such cybersecurity event be provided to a government body, self-regulatory agency or another supervisory body; or

(ii) It is reasonably likely that such cybersecurity event will materially harm:

(I) A consumer residing in this state; or
(II) A material part of such licensee's normal operations. ...

(4) Notice Regarding Cybersecurity Events of Third-Party Service Providers

(A) In the case of a cybersecurity event involving an information system maintained by a third-party service provider, each licensee affected by the event shall treat such event, if the licensee is aware of such event, as such licensee would treat such event under subdivision (1) of this subsection.

(B) The computation of a licensee's deadlines shall begin on the day after a third-party service provider notifies the licensee of the cybersecurity event or such licensee otherwise first has actual knowledge of such event, whichever is sooner.

(C) Nothing in this section shall prevent or abrogate an agreement between a licensee and another party to fulfill any of the investigation requirements imposed under subsection (d) of this section or the notice requirements imposed under this subsection.

Subsection (b), which defines the terms the law uses, states:

(b) Definitions. For the purposes of this section: …

(3) "Cybersecurity event" means an event resulting in any unauthorized access to, or disruption or misuse of, an information system or the information stored thereon, except if:

(A) The event involves the unauthorized acquisition of encrypted nonpublic information if the encryption process for such information or encryption key to such information is not acquired, released or used without authorization; or

(B) the event involves access of nonpublic information by an unauthorized person and the licensee determines that such information has not been used or released and has been returned or destroyed. …

(7) "Licensee" means any person licensed, authorized to operate or registered, or required to be licensed, authorized to operate or registered, pursuant to the insurance laws of this state, … 

(9) "Nonpublic information" means electronic data and information, other than publicly available information and a consumer's age or gender, that: 

(A) Concerns the business of a licensee and that, if accessed, disclosed, tampered with or used without authorization from the licensee, would have a material adverse impact on the business, operations or security of such licensee; 

(B) concerns a consumer and that, because such data or information contains a name, number, personal mark or other identifier, can be used to identify such consumer in combination with:

(i) A Social Security number;
(ii) a driver's license number or nondriver identification card number;
(iii) an account, credit or debit card number;
(iv) an access or security code, or a password, that would permit access to the consumer's financial account; or
(v) a biometric record; or 

(C) is in a form or medium created by, or derived from, a health care provider or consumer and concerns: 

(i) The past, present or future physical, mental or behavioral health or condition of a consumer or a member of a consumer's family;
(ii) the provision of health care to a consumer; or
(iii) payment for the provision of health care to a consumer.

(10) "Person" means any individual or any nongovernmental entity, including, but not limited to, any nongovernmental partnership, corporation, branch, agency or association. …

(13) "Third-party service provider" means a person, other than a licensee, that: 

(A) Contracts with a licensee to maintain, process or store nonpublic information; or 

(B) is otherwise permitted to access nonpublic information through the person's provision of services to a licensee.

The incident at this wholesaler was clearly a “cybersecurity event” because it was an event resulting in the disruption of an information system. In addition, it was a cybersecurity event that occurred at a “third-party service provider” because the wholesaler (I assume) has access to the retailer’s non-public information. 

However, the wholesaler has said, “To date, there is no evidence that any data has been misused in any way.” If so, it is not reasonably likely that the cybersecurity event will materially harm a Connecticut resident consumer or a material part of a retail agency’s normal operations. In addition, there is currently no reason to believe that the non-public information exposed was of 250 or more Connecticut resident consumers and that the agency is obligated to report it to law enforcement.

Since the event does not meet these criteria, it is not one that must be reported to the DOI. That could change, especially if the wholesaler does eventually report that private data was exposed and they had to notify the police. Any future communications from them on this will be important.

Comments

There are no comments for this post.

 ‭(Hidden)‬ Blog Tools