A new law was recently passed (O.R.C. Chapter 3965) regarding cyber security pertaining to those licensees of the Ohio Department of Insurance. This law applies to any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state. Licensee includes insurer. Licensee does not include a purchasing group or risk retention group chartered and licensed in another state or a licensee who is acting as an assuming insurer that is domiciled in another state or jurisdiction.
New requirements in O.R.C. Chapter 3965 include:
- All licensees are required to develop, implement, and maintain a comprehensive information security program based on a risk assessment (O.R.C. Chapter 3965.02). This program should reflect the size and complexity of the organization. There are exemptions to having an information security program that can be found in O.R.C. Chapter 3965.07.
- A licensee shall exercise due diligence in selecting its third-party service provider (O.R.C. Chapter 3965.02 (F)).
- Under certain circumstances licensees are required to notify the superintendent as promptly as possible after a determination that a cybersecurity event involving nonpublic information has occurred, but in no event later than three business days after that determination (O.R.C. Chapter 3965.04).
*Above are key new requirements only, licensees should review O.R.C. Chapter 3965 in its entirety for all requirements.
For more information regarding O.R.C. Chapter 3965, refer to the frequently asked questions below.
Information Security Program
1. What is an information security program?
An information security program means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.
The information security program should be commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee’s possession, custody, or control.
2. Who must file an information security program certification in Ohio?
Only a domestic insurer is required to file an information security program certification statement or indicate which exemption they meet.
3. Are there any exemptions to having information security program? If yes, what are they?
Yes there are exemptions to having an information security program. Any Licensee who meets any one of the following categories may qualify for an exemption:
- The licensee has fewer than twenty employees.
- The licensee has less than five million dollars in gross annual revenue.
- The licensee has less than ten million dollars in assets, measured at the end of the licensee's fiscal year.
- A licensee subject to and in compliance with the privacy and security rules of 45 C.F.R. Parts 160 and 164.
- An employee, agent, representative, independent contractor, or designee of a licensee, who is also a licensee, is exempt from section 3965.02 of the Revised Code and need not develop its own information security program to the extent that the employee, agent, representative, independent contractor, or designee is covered by the information security program of the other licensee.
4. When do I have to file my information security program certificate of compliance or notice of exemption with the Ohio Department of Insurance?
- Multi State Domestic Insurer – Annually by February 15th, beginning in 2021
- Single State Domestic Insurer –
- Beginning June 1, 2020 as part of its corporate governance disclosure; OR,
- Annually thereafter beginning February 15th each year but no later than June 1st as part of its corporate governance disclosure
5. Must I file something with the Ohio Department of Insurance to demonstrate if I am already in compliance with the privacy and security rules of 45 C.F.R. Parts 160 and 164, how can I file a certification statement now?
Yes. Domestic insurers can complete the HIPAA Compliance Certification Statement. You can find the form on the Information Security Resource Center page. Completed forms can be emailed to INSINFOSEC@insurance.ohio.gov.
6. The law provides an exemption for companies with less than 20 employees. How is employee defined?
Full time or part time equivalent employees that receive a W-2 are considered to be an employee for purposes of the exemption. Contracted staff are not considered employees.
7. Who is required to authorize or sign the statement certifying compliance?
Board Member or Senior Officer, or someone at the direction of a Board Member or Senior Officer.
8. If I am part of an insurance holding company system, can I file one compliance statement for the entire holding company or do I need to file separately for each entity within the holding company system?
The department is building a solution to allow for one compliance statement for the entire holding company. Further guidance on how the compliance statements can be filed is forthcoming.
Third-Party Service Providers
1. What are third-party service providers?
A third-party service provider means a person other than a licensee that:
- Contracts with a licensee to maintain, process, or store nonpublic information through its provision of services to the licensee;
- Otherwise is permitted access to nonpublic information through its provision of services to the licensee.
2. What are licensees required to do in relation third-party service providers?
Effective March 20, 2021, Licensees are required to exercise due diligence when contracting with third-party service providers and shall require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.
Loss of Nonpublic Information
1. What is nonpublic information?
Nonpublic information is information that is not publicly available and is one of the following:
- Business-related information of a licensee the tampering with, unauthorized disclosure of, access to, or use of which, would cause a material adverse impact to the business, operation, or security of the licensee;
- Information concerning a consumer that because of the name, number, personal mark, or other identifier contained in the information can be used to identify that consumer in combination with any one or more of the following data elements:
- Social security number;
- Driver's license, commercial driver's license, or state identification card number;
- Account, credit card, or debit card number;
- Any security code, access code, or password that would permit access to the consumer's financial account;
- Biometric records.
3. Any information or data, except age or gender, that is in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to any of the following:
- The past, present, or future physical, mental, or behavioral health or condition of the consumer or a member of the consumer's family;
- The provision of health care to the consumer;
- Payment for the provision of health care to the consumer.
2. How can I report a loss of nonpublic information to the Ohio Department of Insurance?
A loss of nonpublic information can be reported to the Ohio Department of Insurance online. You can click here to file.
3. When and how soon must a licensee report a loss of nonpublic information to the Ohio Department of Insurance?
Please refer to When to File a Loss of Nonpublic Information Workflow for assistance in determining when a loss of nonpublic information should be reported to the Ohio Department of Insurance. When in doubt, simply report it.
All incidents should be reported as promptly as possible; but, no later than three business days after determining that a cybersecurity event involving nonpublic information has occurred.
4. What information is to be included when reporting a loss of nonpublic information to the Ohio Department of Insurance?
You can reference the Loss of Nonpublic Information Reporting Checklist for details on the information required for the report.