4 minute read
Insurance Data Security Requirements
2021 Wisconsin Act 73
By Natalie White, Communications Director
Legislation discussed in this and other PIAW publications many times over the past couple of years has now been passed and signed into law. With cyber threats continuing to grow, Wisconsin Act 73 is an important measure for the insurance industry in Wisconsin to ensure that state cybersecurity measures are enacted and that the federal government is not inclined to supersede state regulation in that regard.
The provisions included in 2021 Wisconsin Act 73 go into effect on November 1st, unless a separate effective date is listed. Some of the major components of the Act are summarized below:
Investigation Following a Cyber Breach
In the event that a licensee learns that a cybersecurity event has occurred, there must be an internal investigation into the event’s nature and scope, what nonpublic information may be concerned, and what practical measures are being taken to ensure that the system has once again been secured. A cybersecurity event is defined in the law as “an event resulting in the unauthorized access to, or disruption or misuse of, an information system or the nonpublic information stored on an information system.” Additionally, if an event occurs, the records related to it must be maintained for five years and shared with the Office of the Commissioner of Insurance if requested.
Notification Requirements
If a cybersecurity event occurs and there is the belief that the breach may cause harm to consumers, licensees must notify the Office of the Commissioner of Insurance (OCI) as soon
as possible within three business days after they learned of the event. After OCI is initially notified within the three-day window, various additional information must be provided including the number of consumers affected, what data has been exposed, how the event was discovered, what efforts are being taken to recover the information, etc.
Licensees are required to notify each affected customer within a reasonable timeframe, not exceeding 45 days, if it is known that their nonpublic information was acquired by an unauthorized party. A copy of this notice must be sent to OCI. In the case that more than 1,000 customers must be notified because of one single event, the licensee must give notice to consumer reporting agencies.
Information Security Program (ISP)
Most PIAW members are exempt from the requirement to have an Information Security Program certified by OCI because they have less than 50 employees OR less than $10 million in total assets OR less than $5 million in gross annual revenue.
For large agencies that are not exempt, this section requires them to develop, implement, and maintain a comprehensive information security program to protect their information system. The program needs to be based on risk assessments that identify foreseeable threats to security, potential damages, and the competence of any safeguards in place. The ISP must be appropriate based on the size and potential threats of the licensee, must designate those responsible for the information system, and must be completed by November 1st, 2022.
In addition, licensees subject to this section must develop an incident response plan on how to respond in the case of a breach. They must also take reasonable care in assessing third-party service providers to ensure that these providers are appropriately secure and report cybersecurity events by November 1st, 2023.
Lastly, licensees subject to these requirements must provide certification on an annual basis to OCI, showing that they are in compliance with these requirements and maintain records that certify compliance for at least five years. These annual certifications are due no later than March 1st, starting March 1st, 2023.
This article is not intended to be legal advice and is not comprehensive. It is important that you review the entirety of Wisconsin Act 73 to ensure you are familiar and are in compliance. You can review the Act in its entirety at https:// docs.legis.wisconsin.gov/2021/related/acts/73 and you can review the OCI Bulletin on the Act at https://oci.wi.gov/ Pages/Regulation/Bulletin20210930Cybersecurity.aspx.
“Why Can’t I Grow My Business?”
BWO = Independence AND Opportunity.
Tired of losing sales because you don’t have access to carriers? Become an independent BWO agent and you won’t be chasing the competition, you become the competition. You’ll be able to offer the best names in the business, no matter where you’re located throughout Wisconsin and the Midwest. And because we deal with the carriers, commissions, database, etc., you can focus on what you do best: Sell! With BWO, you’ll have the tools, products and support that give you greater opportunity to compete – and a partner dedicated to your success. BWO agents enjoy… 100% ownership · Contingency participation · Generous commissions Agency perpetuation · No joining or membership fees · No non-compete
Companies we represent: Acuity, Auto-Owners Insurance, Badger Mutual, GMIC, Hanover, Integrity, Penn National, Pekin, Progressive, Secura, Society, West Bend Mutual…and more.
Contact Tom Budzisz to join at 414-768-8100! BWOInsurance.com
