New Hampshire Governor signs new Insurance Data Security Law (SB194)

By Jason Golden | September 12, 2019

As we all know, security threats are multiplying.

Also multiplying: Laws relating to cybersecurity responsibilities. Organizations big and small are impacted by them.

Here in New Hampshire, the latest is Senate Bill 194-FN (SB194).  Governor Sununu signed it into law in August.  It requires insurance companies or “Licensees” in New Hampshire to implement information security programs.  This concept is proven, and the correct response to cybersecurity threats (if you are already following HIPAA or NIST, this is familiar ground).  In our opinion, every business should have an information security program!  What is new is the robustness of requirements in the insurance industry.

If you’re a Licensee, what does this mean for you?  Simply stated, the overall objective is to protect the security and confidentiality of NPI (Non-Public Information) and the security of your information system.  An information security program is required to achieve this objective.  While we recommend working with a team like Mainstay’s Information Security team to both build and sustain an information security program, here is a summary of how you’d build your program to meet the requirements:

  1. Assign Ownership & Schedule:  Someone must be designated as responsible for your program. Assign ownership to someone that can manage your information security program and align your organization with the requirements.  This can be an employee, affiliate or third-party service provider.  Post risk assessment (see below), develop a calendar of events to include continuous monitoring and periodic testing criteria.  Your program should be consistent, comprehensive and organization-wide.    
  2. Conduct Risk Assessments:  Risk assessments are critical to any effective information security program. A proper risk assessment should identify risk based on threats and their potential impact to your organization.  An assessment of your technical, administrative and physical controls needs to be conducted “no less than annually”. Information security is a discipline, not a product, tool or one-time initiative.  In an ideal world your people, processes and technology harmoniously align to reduce risk and put your organization in a defensible position.  Our world isn’t always ideal! Risk assessments measure the effectiveness of your controls and should highlight your strengths and weaknesses.  Prioritize your findings post risk assessment and develop a remediation plan.  You should be sure that you comply with the compliance requirements while also identifying your level of acceptable risk tolerance.
  3. Implement Technical Controls:  Intrusion protection, monitoring and audit trails for data access must be part of your program.  Being aware of and managing threats and vulnerabilities in your information system is required.  Encryption of NPI for data at rest and in transit should be in place.  You must be able to identify and manage access to your information system which means that hardened account controls must be configured.  Institute secure software development practices and testing for any “home grown” software.  Business Continuity Planning – things like secure data backup infrastructure, disaster recovery planning etc. is needed to prevent the loss, ransom or damage of NPI.  The ability to detect, prevent and respond to attacks, intrusion and system failures is also specifically called out and should be measured.  Finding the right information security and technology experts to support the requirements of your program will be an essential component of your program’s success.
  4. Document Technical, Administrative & Physical Controls: Licensees are required to develop, implement and maintain a comprehensive written information security program (WISP).  Your WISP should contain all the safeguards you’ve implemented.  This includes your policies and procedures, or administrative controls needed to support the program.  Modifications to your information system (i.e. change & configuration management) should be handled in accordance with your policies. All personnel must receive security and awareness training and the training should be informed and updated by your risk assessments.  The Bill includes very specific Incident Response Plan requirements for investigation and reporting of security incidents involving NPI. 

SB194 is effective as of January 1st, 2020 and Licensees will have one year to implement their information security programs.  Annually, each Licensee is required to submit a written statement to the NH Commissioner, certifying compliance by March 1st.

At Mainstay, we work with organizations large and small to carry these requirements, and we have pioneered an approach for small business that saves cost and relieves a significant burden.  Our deeply experienced team helps our clients achieve compliance as painlessly as possible! And we’re here to answer questions if we can be helpful.

Here’s to a secure and compliant 2020!