Rhode Island has enacted an insurance data privacy law requiring carriers to develop and maintain a comprehensive written information security program based on a risk assessment, detailing nonpublic data safeguards.
The law, transmitted to the Rhode Island secretary of state by Gov. Dan McKee’s office on June 26 without his signature, will take effect on Jan. 1, 2025.
Under the new law, insurers must notify the insurance commissioner within three days of discovering a cybersecurity event if it requires notification to any government body, self-regulatory agency, or other supervisory body under state or federal law. Insurers must also notify the commissioner if a cyber event is likely to harm Rhode Island consumers or hinder the carrier’s ability to operate in the state.
According to a report, notifications must include the event date, a description of the data compromise, information about the event’s discovery, recoverability of the data, and the number of consumers potentially affected. These requirements also apply to cybersecurity incidents at third-party service providers holding the carrier’s nonpublic information.
Insurers operating in Rhode Island must submit an annual statement certifying compliance with the data privacy laws. If any part of a security plan is found lacking, the annual report should outline how the issues will be addressed. These statements are due to the insurance commissioner by April 15 each year.
The law also mandates that insurers maintain records for five years following a cybersecurity event and provide them with the state insurance commissioner if requested. Carriers are required to periodically reassess the retention of nonpublic information and consider mechanisms to destroy old, unnecessary data.
Risk assessment-based cybersecurity plans should foresee internal and external threats and evaluate their likelihood and potential damage. Plans should also assess the effectiveness of measures like employee cybersecurity training, data transmission and disposal safeguards, and the ability to detect and deter cyberattacks.
The law requires the establishment of incident response plans addressing factors such as the internal process for responding to an attack, roles and responsibilities of decision-makers during the event, plans for internal and external communications, and documentation and reporting of the event.
Matthew Gendron, general counsel and chief of regulatory compliance for the Rhode Island Division of Financial Services, stated in an email that the department appreciates the legislature’s support in enacting this bill and joining the 24 states that have adopted this NAIC model law. He added that it gives the department better authority to protect consumers.
Gendron said that the division is preparing a bulletin for the fall to update stakeholders and answer commonly asked questions.
What are your thoughts on this story? Please feel free to share your comments below.