On February 25, 2020, the Virginia State Legislature passed House Bill 1334, the Insurance Data Security Act, which establishes data security requirements applicable to persons licensed by the insurance laws of the Commonwealth. See Virginia Code §§ 38.2-621 – 629. Following on other state laws that have created data security regimes applicable to the insurance industry, the Virginia law requires licensees to maintain the security of information systems and nonpublic information. The law also requires licensees to investigate cybersecurity events and to notify individuals and the Commissioner of Insurance.

Definitions Applicable to Insurance Data Security

The Virginia law requires licensees to protect nonpublic information, which includes (1) certain business-related information; (2) any personal information of a consumer including Social Security number, identification number, or biometric information; or (3) any healthcare information, including past treatment or payment information. The law defines a "cybersecurity event" as "an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information in the possession, custody, or control of a licensee or an authorized person."

Requirements for Licensees

The law requires licensees to maintain a written information security program designed to protect the security and confidentiality of non-public information, prevent compromises of and unauthorized access to non-public information, and ensure the proper retention and destruction of non-public information. Licensees must institute controls and policies that maintain data security, such as designating persons responsible for implementing and overseeing the information security program, mitigating identified risks, preventing unauthorized access, and providing periodic cybersecurity trainings. Licensees must also develop a written incident response program designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information, information systems, or the continuing functionality of any aspect of the licensee's business or operations. 

Responding to Actual or Suspected Cybersecurity Events

In the event of a suspected cybersecurity event, licensees must conduct a prompt investigation that:

  1. Determines whether a cybersecurity event has occurred;
     
  2. Assesses the nature and scope of the cybersecurity event;
     
  3. Identifies any nonpublic information that may have been impacted; and
     
  4. Restores the security of the information systems compromised in order to prevent further unauthorized acquisition, release, or use of nonpublic information.

If a cybersecurity event has occurred, the licensee must notify the Commissioner of Insurance within three business days and provide notification to any third-party insurance producers and ceding insurers. Similar to the Commonwealth's data breach notification law, under the insurance data security law, the licensee must also provide notification to impacted consumers.

Miscellaneous Provisions

The law does not create a private cause of action to individuals but authorizes the Commissioner of Insurance to adopt rules and regulations implementing the law, investigate suspected violation of the law, and take necessary actions to enforce the law. Additionally, the law applies confidentiality and privilege protection to documents and materials that are provided to the Bureau of Insurance under the law. Further, effective July 1, 2022, licensees must exercise due diligence in selecting third-party service providers and require that third-party service providers implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.