Many states require insurance providers that do business in their states to complete annual certifications of compliance. As examples, the deadline in New Hampshire is coming up on March 1. The deadline in Alabama, Connecticut, Delaware, Louisiana, Michigan, Mississippi, Ohio, and South Carolina was February 15. (The deadline under new laws in Michigan and Virginia will be February 15 as well, starting in 2022 and 2023, respectively.) The deadline in New York is April 15.
This certification requirement is captured in the model National Insurance Data Security Law endorsed by the National Association of Insurance Commissioners. That model law, and those states that have implemented it, require insurers not only to have information security programs in place, but also to attest compliance. There are some exemptions, including for small businesses with fewer than ten employees, licensees subject to and in compliance with HIPAA requirements, and employees, agents, and representatives of licensees. As part of the certification process, companies typically need to submit written confirmation that they comply with the law, and thus have, among other things:
- A comprehensive written information security program commensurate with the company’s size and complexity
- A written incident response plan
- Employee training
- Appropriate oversight by the company’s board of directors
Once submitted, companies must maintain the records and data supporting their certifications. In most states that retention period is five years.
Putting it Into Practice: When fulfilling certification obligations, companies should keep in mind the underlying requirements to which they are certifying. Now, in the midst of certification season, is a good reminder to regularly take stock of ongoing compliance obligations and efforts.