Home » CyberSecurity

Tennessee Insurance Data Security Law

Tennessee-Insurance-Data-Security-Law-thegem-blog-compact

Tennessee has enacted the National Association of Insurance Commissioner’s (“NAIC”) Insurance Data Security Law. The new Tennessee law is based on the model law that was finalized in October 2017, and requires Tennessee-licensed insurers to develop and implement written information security programs, and investigate and provide notice of specified cybersecurity events to the insurance commissioner and consumers. With the addition of Tennessee, the model law has been successfully adopted by 18 states, with several failed attempts in other states. We will likely see more states rapidly adopt the model law, because the U.S. Treasury has recommend a 2022 deadline for adoption of uniform data security regulations for the insurance industry.

Contents
  1. a “Licensee” under Tennessee’s Insurance Data Security Law
  2. New Requirements of Tennessee-licensed Insurers
  3. Cybersecurity Events response requirments
  4. investigation requirments
  5. Tennessee Insurance Data Security LawNotification Rules
  6. Exemptions to Tennessee’s Insurance Data Security Law
  7. Important Dates
  8. Enforcement Authority

a “Licensee” under Tennessee’s Insurance Data Security Law

A “licensee” under the law is a person: licensed, authorized to operate, or registered pursuant to laws governing insurance in Tennessee (or required to be). A “licensee” does not include a purchasing group or risk retention group chartered and licensed in another state or a person acting as an assuming insurer and domiciled in another state or jurisdiction

New Requirements of Tennessee-licensed Insurers

The law requires licensees to:

  • Conduct risk assessments;
  • Develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for the protection of the nonpublic information and the licensee’s information system.
  • Monitor, evaluate, and adjust their information security program, consistent with relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to its information, the licensee’s changing business arrangements, and changes to information systems.
  • Include cybersecurity risks in the enterprise risk management process;
  • Remain informed regarding emerging threats or vulnerabilities to the licensee and utilize reasonable security measures when sharing information, relative to the nature of the sharing and the type of information being shared; or;
  • Provide personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment
  • Provide personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment.
  • Provide its board of directors, if it has one, a written report (at least once a year) detailing status of the licensee’s information security program and compliance with law; and material matters related to the licensee’s information security program;
  • Exercise due diligence in selecting third-party service providers and require all third-party service providers to implement appropriate safeguards to protect and secure their information systems and nonpublic information;
  • Submit a written certification to the Commissioner of the Department of Commerce and Insurance by April 15 each year that the licensee is in compliance with this law;
  • Maintain all records, schedules, and data supporting the certification made to the commissioner for a period of five years from the date of the corresponding certification.

Cybersecurity Events response requirments

investigation requirments

The Tennessee Insurance Data Security Law requires licensees to conduct a prompt investigation if they learn that a cybersecurity event has, or may have, occurred. If so, then the licensee (or an outside vendor or service provider designated to act on their behalf) must conduct a prompt investigation. The investigation must:

  • Determine whether a cybersecurity event has occurred;
  • Assess the nature and scope of the cybersecurity event;
  • Identify nonpublic information that may have been involved in the cybersecurity event; and
  • Take or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event in order to prevent further unauthorized acquisition, release, or use of nonpublic information in the licensee’s possession, custody, or control.

If a licensee learns that a cybersecurity event has, or may have, occurred in a system maintained by a third-party service provider, then the licensee must complete or confirm, and document, that the third-party service provider has completed the above actions. Insurance licensees must keep records of all cybersecurity events for at least 5 years from the date of discovery. Even if the licensee determines that it was not a cybersecurity event after its investigation, a records of this finding must also be kept for 5 years.

Tennessee Insurance Data Security LawNotification Rules

Commissioner: Following a determination that a cybersecurity event occurred, a licensee must notify the Commissioner within three business days if (a) Tennessee is the licensee’s domicile or home state and there is a reasonable likelihood of materially harming a consumer residing in Tennessee or a material part of the licensee’s normal operations; or (b) the e licensee reasonably believes that the nonpublic information of 250 or more Tennessee consumers and the event requires notice to the government under state or federal law, or the event has a reasonable likelihood of materially harming a Tennessee consumer or the licensee’s normal operations. The notice to the commissioner must contain the following, and supplemental updates must be provided:
  • The date of the event,
  • A description of how the nonpublic information was exposed,
  • How it was discovered,
  • Whether the information ahs been recovered (and how),
  • The identity of the source of the event,
  • Whether a police report was filed,
  • A description of the information acquired,
  • The period the licensee’s system was compromised,
  • The total number of consumers affected (or best estimate),
  • The results of any review of internal processes,
  • Description of remediation efforts,
  • A copy of the licensee’s privacy policy and steps it will take to investigate and notify consumers,
  • The name of the person authorized to act on behalf of the licensee in response,
  • A copy of any notice sent to consumers, if required.
Consumers: Following a determination that a cybersecurity event occurred and Tennessee consumers may be materially harmed, a licensee must notify the consumers whose information was acquired (or reasonably believed acquired) within 45 days after determination of the event. This period may be extended as needed by law enforcement. Notice may be made by:
  • Written Notice
  • Electronic Notice (e.g. email): If primary method of communication.
  • Substitute Notice: If the cost would exceed $250,000, over 500,000 consumers are affected, or the licensee does not have sufficient contact information. Substitute notice can be achieved by email (if available), posting on the licensee’s website, or notification of statewide media.
Third Party Service Provides: If the cybersecurity event was to a third party service provider who maintains the licensee’s information system, the notification requirements are largely the same with only a few additions.

Exemptions to Tennessee’s Insurance Data Security Law

The law exempts licensees:

  • That employ less than 25 individuals, whether classified as employees or independent contractors;
  • With less than $5 million in gross annual revenue or less than $10 million in year-end total assets.
  • That are subject to and complies with specified federal laws.

Important Dates

The Tennessee Insurance Data Security Law takes effect on July 1, 2021. However, covered licensees have until July 1, 2022 to implement the comprehensive written information security program and until July 1, 2023 to require all third-party service providers to implement the appropriate safeguards detailed above.

Enforcement Authority

Enforcement power under Tennessee’s Insurance Data Security Law is through the Commissioner of the Department of Commerce and Insurance. The commissioner has the power to investigate licensees to determine whether they have violated the law, as well as enforce penalties for said violations. The law provides for monetary penalties of up to $1,000 per violation, and of up to $25,000 per violation if the violation was intentional.

Davidson Lentz

Davidson is an attorney in the Nashville office of Lewis Thomason, where he practices in the areas of cyber-security law, data privacy law, business and commercial law, and general civil litigation. Davidson worked as a contractor for Amazon before returning to law school.

TN Cyber Law