Kentucky has turn out to be the 21st state to undertake an information safety legislation that can require insurers and bigger businesses to beef up measures designed to assist stop cyber assaults and knowledge breaches.
Gov. Andy Beshear in April signed House Bill 474, which was primarily based on the Nationwide Affiliation of Insurance coverage Commissioners’ mannequin knowledge safety legislation. Individuals and organizations licensed beneath the Kentucky insurance coverage legal guidelines who’ve greater than 50 staff, have till Jan. 1, 2024 to conform, in response to the legislation and up to date information studies.
The steps that licensees should take embody growing a written cybersecurity program; investigating and reporting cyber occasions inside three days to the state insurance coverage commissioner; conducting danger assessments; and designating an individual within the firm to be accountable for data safety.
The NAIC has stated the mannequin legislation was within the works for a while.
“In recent times, there have been a number of main knowledge breaches involving giant insurers which have uncovered and compromised the delicate private data of hundreds of thousands of insurance coverage shoppers,” reads a legislative transient by the NAIC. “Consequently, state insurance coverage regulators made reevaluation of the rules round cybersecurity and client knowledge safety a high precedence, and in early 2016 the NAIC started drafting the Insurance coverage Information Safety Mannequin Regulation.”
Amongst different steps, Kentucky’s legislation requires insurers to “determine moderately foreseeable inner or exterior threats that would lead to unauthorized entry, transmission, disclosure, misuse, alteration, or destruction of nonpublic data, together with the safety of knowledge techniques and nonpublic data which can be accessible to, or held by, third-party service suppliers,” the legislation reads.
Corporations should additionally put controls on data to restrict entry solely to licensed folks, together with many different measures.

The NAIC mannequin legislation would have exempted solely these firms with fewer than 10 staff, however Kentucky lawmakers upped that to 50 staff. The legislation additionally is not going to apply to buying teams or danger retention teams chartered and licensed outdoors of Kentucky, in addition to firms that act as assuming insurers and are domiciled in different states.
Different states which have adopted related legal guidelines embody: Alabama, North Dakota, Minnesota, Iowa, Wisconsin, Michigan, Indiana, Ohio, Tennessee, Virginia, Maryland, Washington D.C., South Carolina, Louisiana, Mississippi, Delaware, Connecticut, New Hampshire, Maine, and Hawaii. Payments are pending in Illinois, Vermont, Rhode Island, and Washington. New York has its personal knowledge privateness necessities, NAIC defined.
Excited about Carriers?
Get automated alerts for this matter.