Hawaii and Minnesota Enact Insurance Data Security Laws | Practical Law

Hawaii and Minnesota Enact Insurance Data Security Laws | Practical Law

Hawaii has enacted SB 1100 and Minnesota has enacted HF 6, becoming the most recent states to pass laws based on the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (MDL-668). The laws require entities licensed under each state's insurance laws to develop and implement written information security programs and investigate and provide notice of certain cybersecurity events to regulators and consumers.

Hawaii and Minnesota Enact Insurance Data Security Laws

Practical Law Legal Update w-031-7166 (Approx. 5 pages)

Hawaii and Minnesota Enact Insurance Data Security Laws

by Practical Law Data Privacy Advisor
Published on 01 Jul 2021Hawaii, Minnesota, USA (National/Federal)
Hawaii has enacted SB 1100 and Minnesota has enacted HF 6, becoming the most recent states to pass laws based on the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (MDL-668). The laws require entities licensed under each state's insurance laws to develop and implement written information security programs and investigate and provide notice of certain cybersecurity events to regulators and consumers.
On June 26, Minnesota Governor Tim Walz signed a commerce and energy omnibus bill (HF 6) that includes provisions based on the National Association of Insurance Commissioners Insurance Data Security Model Law (MDL-668). On June 28, Hawaii Governor David Ige signed SB 1100, also based on the model law. Both laws apply to entities licensed under each state's insurance laws and impose cybersecurity, data breach notification, and third-party service provider oversight obligations.

Hawaii SB 1100

SB 1100 narrows the model law's definition of nonpublic information to focus only on consumers' personal information and explicitly ties health-related elements to the Health Insurance Portability and Accountability Act (HIPAA). The new requirements otherwise generally align with the model law, requiring licensees to, for example:
  • Conduct specified risk assessments.
  • Develop, implement, and maintain a comprehensive written information security program (WISP) based on their risk assessment that includes specified elements, including an incident response plan, and adjust it accordingly with changes in technology and the business and threat environments.
  • Designate one or more employees, an affiliate, or a third party as responsible for their WISP.
  • Include cybersecurity risks in the enterprise's overall risk management process.
  • Report to their boards of directors, at least annually, on their WISPs' status, their compliance levels, and other material matters.
  • Exercise due diligence in selecting third-party service providers and require them to implement appropriate security measures, with some exceptions for service providers that hold only encrypted data without decryption means.
  • Submit an annual written compliance certification by March 31 to the state insurance commissioner and keep supporting data and records for at least five years.
The law exempts from the information security program requirements licensees that:
  • Have fewer than 10 employees or independent contractors.
  • Are subject to and comply with HIPAA and its implementing regulations, if they submit a written certification.
When a cybersecurity event occurs, under SB 1100, licensees must:
  • Notify the state insurance commissioner, including specified information, no later than three business days after discovering a cybersecurity event impacting 250 or more consumers, unless law enforcement directs otherwise, if either:
    • Hawaii is the covered entity's domicile or home state; or
    • the licensee reasonably believes that the cybersecurity event involves the information of 250 or more Hawaii consumers and has a reasonable likelihood of materially harming any of them or any material part of the licensee's operations.
  • Comply with Hawaii's state consumer data breach notification law and provide the state insurance commissioner with a copy of any notice sent.
  • Maintain event-related records for at least five years.
The law takes effect July 1, 2021 and gives the state insurance commissioner rulemaking and enforcement powers. However, consistent with the model law's transition provisions, licensees have until:
  • July 1, 2022 to comply with most information security program requirements.
  • July 1, 2023 to comply with third-party service provider oversight requirements.
Certain risk retention groups chartered and licensed in Hawaii have an extra year added to each deadline.

Minnesota HF 6, Article 3, Sections 5 to 13

HF 6, Article 3, Sections 5 to 13 similarly narrows the model law's definition of nonpublic information to focus only on consumers' personal information. The new requirements otherwise generally align with the model law, requiring licensees to, for example:
  • Conduct specified risk assessments.
  • Develop, implement, and maintain a comprehensive WISP based on their risk assessment that includes specified elements, including an incident response plan, and adjust it accordingly with changes in technology and the business and threat environments.
  • Designate one or more employees, an affiliate, or a third party as responsible for their WISP.
  • Include cybersecurity risks in the enterprise's overall risk management process.
  • Report to their boards of directors, at least annually, on their WISPs' status, their compliance levels, and other material matters.
  • Exercise due diligence in selecting third-party service providers and require them to implement appropriate security measures.
  • Submit an annual written compliance certification by April 15 to their applicable Minnesota regulator and keep supporting data and records for at least five years.
However, the new provisions do not include the model law's requirements to adopt procedures for evaluating, assessing, or testing the security of externally developed applications.
The law:
  • Exempts licensees that employ fewer than 25 employees from information security program and certain cybersecurity event investigation requirements.
  • Deems licensees subject to HIPAA to comply with information security program, cybersecurity event investigation, and consumer notification requirements if they submit a written certification to their relevant Minnesota regulator.
  • Deems licensees subject to the Gramm-Leach-Bliley Act and its implementing regulations to comply with information security program requirements if they can produce appropriate documentation upon request.
When a cybersecurity event occurs, licensees must notify:
  • Their applicable Minnesota regulator, no later than five business days after discovery, including specified information, if:
    • Minnesota is the licensee's domicile or home state and the event has a reasonable likelihood of materially harming a Minnesota resident or the licensee's normal operations; or
    • the licensee reasonably believes that the cybersecurity event involves the information of 250 or more Minnesota residents and is either an event that the licensee is otherwise obligated to report or that has a reasonable likelihood of materially harming a Minnesota resident or its own operations.
  • Affected Minnesota resident consumers, in the most expedient time possible and without unreasonable delay, by means stated in the new law, if the licensee is required to notify their applicable Minnesota regulator and there is:
    • reason to believe an unauthorized person obtained residents' nonpublic information; and
    • a reasonable likelihood of material harm to them.
The law takes effect August 1, 2021 and gives Minnesota's relevant regulators enforcement powers. However, consistent with the model law's transition provisions, licensees have until:
  • August 1, 2022 to comply with most information security program requirements.
  • August 1, 2023 to comply with third-party service provider oversight requirements.