Vermont has enacted H.515, an insurance data security law based on the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (MDL-668). The law requires Vermont-licensed insurers to develop and implement written information security programs, investigate cybersecurity events, and annually certify compliance, but does not include the model's state and consumer notice requirements.
On May 27, 2022, Vermont Governor Phil Scott signed H.515, making Vermont the latest state to adopt legislation based on the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (MDL-668). The new law applies to those licensed, authorized to operate, or registered under Vermont insurance law, with limited exceptions.
The law generally adopts the model law's broad definition of non-public information and follows the model law's provisions requiring licensees to:
Conduct risk assessments based on detailed requirements.
Develop, implement, and maintain a comprehensive written information security program (WISP) based on a risk assessment that includes specified elements, and includes a cybersecurity incident response plan.
Monitor emerging threats or vulnerabilities and use reasonable and appropriate security measures when sharing information.
Include cybersecurity risks in the enterprise risk management process.
Provide cybersecurity awareness training to personnel and update the training as necessary.
Provide its board of directors with annual written reports on the WISP's status, compliance levels, and other material matters.
Require all third-party service providers to implement appropriate administrative, technical, and physical measures to protect their information systems and nonpublic information.
Annually submit a written compliance certification to the Commissioner by April 15 and maintain records supporting the certification for five years when Vermont is the insurer's domicile.
Respond to cybersecurity events by conducting a prompt investigation and taking reasonable corrective action.
Unlike the NAIC model law, the Vermont law does not require licensed insurers to notify the state insurance authority or affected individuals of cybersecurity events. However, the law explicitly provides that it does not change Vermont's general data breach law. For more on Vermont's data breach notification law, see State Q&A, Data Breach Notification Laws: Vermont.
A licensee is exempt from the law's information security program requirements if it:
Has fewer than 20 employees, including independent contractors.
Submits an annual written certification that they are subject to Health Insurance Portability and Accountability Act of 1996 (HIPAA), if it maintains a HIPAA-compliant information security program and follows its guidelines, regulations, and rules.
Is an employee, agent, or representative, or designee of a Vermont-licensed insurer if they are covered by the information security program of another Vermont-licensed insurer.
Can produce validating documentation requested by the Commissioner that they are subject to and in compliance with the Gramm-Leach-Bliley Act.
Licensees that comply with the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies (23 NYCRR §§ 500.0 to 500.23) are also exempt from the law's requirements if they submit a written statement of compliance to the Commissioner.
The law gives the Commissioner the power to:
Investigate any licensee to determine whether it has violated the law.