Kentucky became the latest state to adopt the NAIC insurance data security model law with Governor Andy Beshear’s signing of House Bill 474. The new law goes into effect Jan. 1, 2023, and gives covered licensees one or two years for implementation, depending on the specific provision. Like many other states, Kentucky enacted the law with some variations to the model law. One notable difference is Kentucky’s reporting requirements for a “cybersecurity event.” Under the new law, a “cybersecurity event” is “an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system.” Here, for an insurer domiciled in Kentucky, notification to the insurance commissioner is required if the cybersecurity event “has a reasonable likelihood of harming any material part of normal operations of the licensee.” Additionally, for an insurance producer whose home state is Kentucky, notice of a cybersecurity event is required without any qualification.
This is a continuation of a trend begun with the NYDFS regulation that requires licensees to report cybersecurity events to NYDFS under similar circumstances. More regulators are moving toward frameworks that require covered organizations to report incidents that do not necessarily impact personal or nonpublic information.
For licensees who are not domiciled in Kentucky, the reporting trigger occurs where the cybersecurity event involves the nonpublic information of 250+ Kentucky residents and one or both of the following: the licensee is required to notify another regulator under state or federal law, and the event has a reasonable likelihood of materially harming any Kentucky consumer or a material part of the normal operations of the licensee.
Like other insurance data security laws, Kentucky’s new law also requires covered licensees to, among other things, implement a written information security program, conduct risk assessments, enact appropriate data security measures, and require third-party service providers to implement appropriate measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider. Licensees with fewer than 50 employees, including independent contractors, are exempt from most of these requirements, including reporting requirements. In joining the nearly 30 other states with an insurance data security law, Kentucky is the latest state to enact cybersecurity and reporting requirements for entities operating in a regulated industry. This new law and its nuances highlight the patchwork of state laws that impose similar obligations on insurance, mortgage, and other heavily regulated industries.