Client Alert: Maryland Adopts Cybersecurity and Incident Reporting Requirements
Specifically Applicable to Insurance Carriers
Date: October 5, 2022
Under the new law, which is based on a National Association of Insurance Commissioners model law, insurance carriers (which are defined to also include, among others, third-party administrators and health maintenance organizations) must assess the risk of threats that might result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of nonpublic information and the likelihood of damage from such threats. Based on its risk assessment, insurance carriers must develop, implement and maintain a comprehensive written information security program (“WISP”), pursuant to which it must adopt administrative, technical and physical safeguards for the protection of nonpublic information. The safeguards must be commensurate with the size and complexity of the carrier, the nature and scope of the carrier’s activities and the sensitivity of the nonpublic information they possess. The effectiveness of safeguards must be assessed on at least an annual basis.
The new law includes a list of specific security measures that insurance carriers must consider implementing, requires that carriers stay informed of emerging threats and vulnerabilities and that they use reasonable security measures when sharing information. Among other requirements in the new law, insurance carriers must also:
- provide cybersecurity awareness training to personnel;
- provide Boards of Directors, on at least an annual basis, with a report of the status of the carrier’s WISP and its compliance with it;
- require service providers to implement appropriate safeguards;
- establish a written incident response plan; and
- annually submit to the Maryland Insurance Commissioner a statement certifying compliance with the new law’s requirements.
Insurance carriers not domiciled in Maryland are exempt from the new law if domiciled in another state that has adopted a substantially similar law or regulation.
Senate Bill 207 also requires that insurance carriers promptly investigate cybersecurity events and take steps to restore the security of compromised information systems. A carrier must notify the Maryland Insurance Commissioner within three business days after it determines that a cybersecurity event has occurred if (1) the carrier is domiciled in Maryland and the cybersecurity event has a reasonable likelihood of harming a Maryland consumer or any material part of the carrier's normal operations; or (2) the carrier reasonably believes that the cybersecurity event involves the nonpublic information of 250 or more Maryland consumers and it either (a) must give notice under another applicable law or (b) meets certain harm thresholds set forth in the new law.
Carriers that are governed by and compliant with HIPAA are deemed to be in compliance with the new Maryland law’s WISP and security breach investigation requirements, but not the breach notification requirements.
The Insurance Commissioner is authorized by the new law to investigate whether insurance carriers have violated the law and to issue penalties of between $100 and $125,000 for each violation of the law.
Although the new law takes effect on October 1, 2022, carriers have until October 1, 2023 to comply with most of the requirements in new section 33-103, including those pertaining to the implementation of a WISP; and until October 1, 2024 to comply with the requirements applicable to service providers. Insurance carriers with fewer than 25 employees and who meet some additional requirements may defer compliance for an additional one year.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.