Co-Founder + Forensic Expert
My trip to Columbia, SC was a great opportunity to sit down with others in the insurance sector and get some clarification from the Department of Insurance (DOI) about the Insurance Data Security Act (IDSA). Melissa Manning and Kendall Buchanan, DOI Representatives, provided answers to questions submitted by insurance professionals and gave attendees tips on how to stay informed of the latest information. Below are important details shared with attendees during this meeting.
Inclusion & Exclusion
The Insurance Data Security Act (IDSA) specifies those in the insurance sector whom fall into the classification of a “Licensed Excess”, “Surplus Line Carrier”, and “Captive Agents”. More definitely, inclusion starts at ten or more employees for the insurance entity and can be avoided if any of the above parties were fully covered under a parent company’s Information Security Plan(ISP).
For those agencies that are covered by HIPAA , IDSA compliance is inherent because the Health Act is more stringent. The Department of Insurance is drafting a to certify organizational exclusion from the Insurance Data Security Act.
Access & Encryption
Security fundamentals dictate that organizations should take a “least privileged” approach to user access and the IDSA has not strayed far from that approach. In fact, under the guidelines of the Insurance Data Security Act, companies should restrict access to Non-public Information to those employees or third-party entities who have a legit need to access it.
Encryption is unfortunately a topic where IDSA diverges from common information security practices. The security act does not require that companies encrypt any of their data or information. However, a company should still implement encryption because having data locked away could save the organization millions in fines and costs from a breach. Encryption protects the data and in the case of theft is not considered a reportable event by the Department of Insurance unless the key is also stolen.
Third-party Services Providers
If third-party service providers have access to non-public information, insurance companies will need to continually assess their relationship with the service provider. As a reminder on non-public information, the data is defined in broad terms as sensitive business-related information of the licensee or the private information of the client. I encourage any entity covered by this act to truly understand non-public information as defined by DOI because those whom have access to it, must meet the requirements of this act. Furthermore, this forces insurance companies or licensees to take responsibility for ensuring third-party services providers are compliant.
A little unclear at this time are the ramifications when a third-party service provider fails to cooperate with the insurance licensee to develop a comprehensive information security plan. Does an insurance licensee have to find a new provider or move the services back within their control? Hopefully as this act matures like HIPAA, these questions will be answered.
Insurance companies must conduct an annual risk assessment, which is akin to a standard information security assessment. While this act does not specifically lay out the steps required to be completed during the risk assessment, it does define tangible steps or activities needed based on the results.
Additionally, the thoroughness of the risk assessment depends upon the complexity of the entity’s operational and information systems but should include all facets of the business operations and information security. Each licensee will have to evaluate the scope of their operation and make sure the security measure is commensurate.
Licensees may conduct the risk assessment in house if they have the expertise, such as qualified cyber security professionally. However, if the assessment is handed off to a third-party service provider, the provider must meet the requirements of this act if they have access to the non-public information. Either way the Information Security Plan (ISP) will be based on the outcome of the assessment. Currently a format for the assessment report is defined and the reports must be kept by the licensee for five years.
Cyber Security Event
A cyber security event as defined by IDSA includes the compromise of unencrypted non-public information. The Department of Insurance expects notification even when law enforcement may restrict notification of the public. To aid in reporting, the Department of Insurance is developing an online reporting system for cybersecurity events which is expected to be completed by September 18, 2018.
More IDSA Info
Signing up for Notifications
The Department of Insurance encourages licensees and third-party service providers to sign up for bulletins and press releases on their website at www.doi.sc.gov . Once on the website, click the button for “Notification Subscriptions”.
The Department of Insurance hopes to have a live webinar/seminar on this topic on September 10, 2018. Updated information on this event will be pushed out through their notification system.