Companies that deal with insurance in Alabama have a new law to prepare for. In May of 2019, when Governor Kay Ivey signed Alabama Act 2019-98, the Insurance Data Security Law, Alabama joined a growing list of states to mandate a more extensive set of rules and regulations regarding information security for entities licensed by the state’s Department of Insurance. Now is the time for Alabama licensees to take heed, because this new law is going to have big impacts on entities that aren’t accustomed to making information security a high priority.
A New InfoSec Paradigm for Licensees
Under the Insurance Data Security Law, licensed entities must develop and maintain a comprehensive written information security plan. While that might not seem like much at first glance, there is a lot that goes into it. Section 4 of the new law addresses the bulk of the components that a compliant information security program should include, as well as the actions that entities must undertake to achieve compliance. The law goes so far as to include sections about proper investigation of information-compromising events, event reporting, and how to handle third-party service providers. And unlike some infosec-based laws, this one is not left without teeth. An entire section of the law, Section 10, provides penalties for non-compliance, including revocation of licenses and fines of up to $10,000 per violation.
A Comprehensive Information Security Program
Entities looking to achieve compliance in the eyes of the Department of Insurance need to start with a thorough risk assessment of their information security systems, the nonpublic data they protect, and their aptitude for managing compromising events. They must then develop, implement, and maintain a comprehensive written information security program directly based on that risk assessment, as well as the size and complexity of the organization.
The information security program must contain administrative, technical, and physical safeguards to protect the security and confidentiality of nonpublic information and the information system. Licensees are expected to achieve this level of protection by implementing what they deem to be appropriate security measures, such as:
- Access Control on information systems
- Identification and management of data, personnel, devices, systems, and facilities
- Restriction of physical access to nonpublic information
- Encryption of nonpublic information during transmission and storage
- Adoption of secure development practices for in-house developed applications
- Multi-Factor Authentication
- Regular/continuous monitoring
- Audit trails
- Protection of nonpublic information from environmental hazards
- Secure information disposal procedures
Licensees are expected to include cybersecurity risks in their overall risk management processes and remain aware of emerging threats. They must also provide personnel with cybersecurity awareness training, commensurate with the results of the risk assessment.
Regardless of security measures and risk awareness, compromising events are still an inevitability. Because of that, licensees must also establish a written incident response plan and devote time to regularly monitor, evaluate, and adjust the information security program. These two components by themselves can prove to be daunting tasks for organizations to undertake alone.
Adding Third-Parties to the Mix
One of the biggest surprises with this new law was that it specifies that the third-parties with which a licensee does business must be appropriately included in the licensee’s risk assessment. Under this law, licensees must exercise due diligence in selecting third-party service providers and are responsible for requiring selected providers to implement appropriate measures to protect relevant nonpublic information.
New Reporting Requirements
Section 6 of the Insurance Data Security Law covers some new requirements for how licensees must report compromises on nonpublic information. In addition to the requirements set forth in the Alabama Data Breach Notification Statute, licensees will be required to notify the Alabama Insurance Commissioner within 3 business days of any breach if the entity is domiciled in Alabama or if the breach involves the nonpublic information of 250 or more Alabama consumers. These reports are required to contain specific information, all of which is explained in the same section.
Exemptions for Smaller Companies
The law does provide exemptions for some smaller licensees. Entities with fewer than 25 employees, less than $5 million in gross annual revenue, or less than $10 million in year-end total assets are exempt from compliance until they surpass all three of those thresholds.
Compliance Coming Soon
The Insurance Data Security Law went into effect when Governor Ivey signed it back in May of 2019, and the time that licensed entities have been given to achieve compliance is running out. Licensees have until May of 2020 to achieve compliance for themselves, and until May of 2021 to verify that their third-party service providers have done the same.
For companies that need help identifying and implementing the elements necessary for compliance, Mission Multiplier – an award-winning cybersecurity company based in Huntsville, Alabama – is here to help. We have access to a team of credentialed subject matter experts with years of experience implementing regulation-compliant information security programs. We can assist through the entire process, from initial risk assessment to continuous monitoring. If you, your organization or company, or someone you know would like more information on achieving compliance or our company, please do not hesitate to reach out to Mission Multiplier at info@missionmultiplier.com.
