View more from News & Articles or Primerus Weekly

by J. Paul Zimmerman, Partner
Christian & Small LLP
Birmingham, Alabama

While Alabama was late to adopt a data breach notification statute, it is quickly catching up in the data security arena by focusing on consumer data held by insurance entities. In May, Governor Kay Ivey signed the Insurance Data Security Law (Act 2019-98)(“Law”), which imposes a comprehensive set of data security requirements on persons and entities licensed by the Department of Insurance. While the deadline for implementation of certain of the Law’s requirements are delayed, the statute itself became effective when it was signed.

The Insurance Data Security Law largely adopts the National Association of Insurance Commissioners’ Insurance Data Security Model Law, making only a handful of changes. Front and center in the Law is Section 4, which requires insurance licensees to implement a written information security program. While allowing for the size of the licensee, along with other factors for determining what is “reasonable,” Section 4 addresses nearly all facets of the licensee’s information security program and contains a lengthy list of components to include in an information security program, as well as actions licensees are required to undertake. Not only are administrative, technical, and physical safeguards to protect consumer information required, but Section 4 specifies requirements for annual risk assessments, reviews of the security program, employee training, business continuity, and breach response. Additionally, Section 4 specifically requires insurance licensees to consider whether certain enumerated safeguards are appropriate, including access controls, encryption, audit trails for access to information, penetration testing, multi-factor authentication, and other common security methods. Cybersecurity must also be considered in the licensee’s risk management efforts — in other words, insurance licensees must consider insuring against cybersecurity events. All aspects of a licensee’s security program must be documented and regularly reviewed for needed updates and changes.

Perhaps even more imposing is Section 4’s requirement that licensees exercise due diligence in selecting service providers and that licensees mandate certain information security precautions from their third-party service providers. The Law also requires certain actions of directors and corporate officers, and annual written certification of compliance with the Law is required of licensees domiciled in Alabama.

The Law requires written data incident response plans, which must contain certain components, including the process for incident response, definition of roles and responsibilities, and requirements for remediation, reporting, and documentation of the incident and the licensee’s response. Section 5 contains requirements for a licensee’s investigation of a cybersecurity event, including a requirement to retain documentation relating to any event for at least five years for access by the Alabama Department of Insurance.

If triggered, the Law’s data breach notification requirements add to the Alabama Data Breach Notification Statute. Not only will an insurance licensee be required to provide notice of certain data breaches to affected consumers under the Data Breach Notification Statute, but Section 6 of the Insurance Data Security Law contains several specific items of information regarding a cybersecurity incident that must be contained in a notification to the Alabama Insurance Commissioner. Such notification to the Commissioner must occur within three business days of when the licensee determines that a cybersecurity event has occurred. Section 6 contains provisions specifying, in certain situations, which entity is responsible for providing the Commissioner with notification if a licensee with a data access relationship with other entities experiences a cybersecurity incident.

The Law provides some protections for insurance licensees. Primarily, information provided to the Commissioner pursuant to the Law remains confidential and is not subject to subpoenas or open records requests. Furthermore, information that is otherwise privileged remains privileged notwithstanding disclosure to the Commissioner if required by the Law, and such information specifically cannot be introduced as evidence in a private civil action. Moreover, the Law specifically states that it is not intended to create or affect any private right of action against a licensee.

Various portions of the Law contain exceptions from their application. For example, the Law excludes smaller insurance agencies and brokerages. The Law also specifies that its obligations to have written policies and procedures are not applicable to any company that has fewer than 25 employees or that has less than $5 million in annual gross revenue. Notwithstanding these limitations, we obviously advise any company inside or outside the insurance industry that possesses confidential, personal information of its customers to have written policies and procedures in place as well as breach response plans to help limit its exposure as it relates to customer information.

The Law became effective when the governor signed it. That being said, licensees have two years in which to implement the Law’s requirements regarding vendor management, and one year for the remaining security program requirements in Section 4. Section 10 provides for penalties for violation of the Law, in part via reference to existing penalties in the Alabama Insurance Code.

We work with companies to create their policies and procedures for information security and in formulating and implementing data breach response plans. We can help determine the extent to which this law impacts your company and, if so, how to comply with it.

No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers.