In March, New York’s Department of Financial Services established a cybersecurity regulation for banks and insurance companies that was expected to have national and global impact. Months later, the National Association of Insurance Commissioners adopted a data security model law similar to New York’s.
In late October, the NAIC, the standard-setting organization governed by chief insurance regulators from all 50 states, D.C. and five U.S. territories, adopted the Insurance Data Security Model Law, which includes provisions for investigating data security breaches.
“Considering the recent series of data breaches, cybersecurity is more important now than ever,” said Ted Nickel, NAIC president and Wisconsin insurance commissioner at the time, in a statement. “Regulators have a critical role to play in protecting consumers as the cyber landscape continues to evolve and this model law sets cybersecurity customs for insurers to help safeguard consumers.”
For New York, the cybersecurity regulations have already been in place for months. In late August, the 180-day grace period for the DFS cybersecurity regulation expired, creating a watershed moment for insurers and the financial institutions doing business in New York. Under DFS’s groundbreaking regulation, entities the agency regulates would have to have state-approved plans to deter cyberattacks, and report any attacks within 72 hours of when they occur.
The New York Law Journal spoke with DFS Superintendent Maria Vullo about New York’s cybersecurity regulation and what role it has played in the NAICs adoption of the model law. Questions and answers have been edited for clarity and brevity.
Q: What role, if any, did DFS play in the NAIC’s adoption of the data security model law?
Vullo: It’s not a coincidence that the NAIC came out with a model a few months ago and that that model is almost exactly the same language as our regulation. We were, and I was, instrumental in moving the NAIC in this direction. I’ve made a point of, since I arrived at this job, of really working through the NAIC and working with fellow commissioners in other states.
The NAIC had a task force on a model cybersecurity law for years that was going back-and-forth and had not led to anything close to being final. We finalized our cybersecurity regulation in February of 2017 and it became effective March 1. At the NAIC national meeting in April, I presented on what we had done in New York and urged that they consider adopting it. I maybe even said “mimicry is the best form of flattery. I have no problem with you plagiarizing.”
The person who had been the head of the task force at the NAIC had left, and so two new commissioners from South Carolina and Rhode Island ran the task force. My staff and I worked closely with them. The NAIC model is extremely close, and is pretty much verbatim in many many places. It even includes a footnote that says compliance with the New York reg is compliance with the law.
Q: Does the NAIC’s model law differ from New York’s regulation?
Vullo: There are no material differences. Because it is a model law and a statute, there are provisions in their law that I don’t need but that some of the other commissioners need. For example, they have provisions giving commissioners the power to investigate the affairs of a licensee for cybersecurity. My regulation doesn’t have that because I already have that ability. As the rule developed, the NAIC included it in its provisions because commissioners were concerned. They wanted to make sure that if a statute like this passed, that they had the authority from the legislature to enforce their investigatory authority.
My regulation is not just for the insurance industry, and that’s an important distinction. I regulate insurance companies, as well ask banks and other financial services providers. The NAIC model law is only for insurance and my regulation covers all of the other regulated entities that I supervise.
Q: What prompted the NAIC to do this now?
Vullo: I think in the past, they had been going back-and-forth with drafts for several years. New York, me, we acted here. We went out with a proposed regulation, We had a significant comment period and incorporated good comments. We had lots of meetings. Lots of discussion with our regulated institutions and I finalized the regulation in February effective March 1. Sometimes it takes somebody to go out and do something for other people to say “OK, we can’t wait any longer.” I guess you could say this was a catalyst that prompted it and then the new leadership of the NAIC work group and the cybersecurity issue in 2017 is so big. Some of our institutions and insurance companies wanted consistency and they worked with us, through the NAIC, to get consistency.
Q: What has the feedback from the industry to this regulation been?
Vullo: These are difficult issues and a new thing that they have to comply with. I believe that at the end of the process they were comfortable where we got because we listened to them. But at the same time, it is a requirement. It has to be followed. Cybersecurity is a big deal. We recognize it and we worked with the industry to understand how best to implement something like this with respect to their institution and we modeled the reg to be adaptable depending on all shapes and sizes of institutions.
Q: How does the cybersecurity rule in New York apply to medical records and insurance lawyers?
Vullo: Medical records would only apply when you’re dealing with insurance companies. To the extent that an insurance company has medical records, which they probably do, then it applies to the company. Of course, [the Health Insurance Portability and Accountability Act] still applies and all of the protections of the federal statute apply. Nor does it conflict with Gramm-Leach-Bliley.
With respect to insurance lawyers, the regulation applies to nonpublic, personally identifiable information. It doesn’t apply to everything. If there’s a third-party vendor that a law firm sends information out to, the institution has to do its due diligence. That vendor has to have the programs and system in place to protect the data. In other words, the company that I regulate can’t avoid the regs by outsourcing its operations and the nonpublic information that’s covered to a third-party vendor without ensuring that that vendor has adequate protections that would comply with the regulations.