Entities that collect Wisconsin residents’ personal information and are licensed, registered, or authorized (licensee) with the Office of the Commissioner of Insurance (commissioner) will have to abide by a new data security law (Wisconsin’s Insurance Data Security Law), which came into force on November 1. This bill had previously been introduced in the 2019-2020 legislative session and was passed by the assembly before COVID-19 shortened the legislative session. It was then reintroduced this year. Natalie White, the communications director for the Professional Insurance Agents of Wisconsin, Inc. (PIA), noted that an increase in cyberattacks necessitated a standard at the state level. Lawmakers worked with PIA to develop the bill.
Information Security Requirements
Wisconsin’s Insurance Data Security Law now requires licensees to take steps to protect nonpublic information, conduct risk assessments, and develop an information security protection plan. “Nonpublic information” is limited in scope and is defined as electronic information that can be used to identify a consumer, such as Social Security numbers, financial accounts, and biometric information.
Wisconsin’s Insurance Data Security Law will require applicable entities to conduct a risk assessment and then develop an information security program based on that assessment. This risk assessment must identify and assess reasonably foreseeable threats that could result in unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information. Entities that already maintain an information security program that is compliant with certain federal regulations, such as the Gramm Leach Bliley Act or the Health Information Portability and Accountability Act, are exempt from this statute.
After the risk assessment, licensees must develop an information security program that contains administrative, technical, and physical safeguards. These safeguards must (1) protect against threats to the security and integrity of the information systems and nonpublic information, (2) protect against unauthorized access and use of nonpublic information, and (3) establish a data retention policy that includes a schedule for reevaluation and destruction of nonpublic information. Moreover, licensees must develop an incident response plan (IRP). An IRP allows a licensee to promptly respond to, and recover from, a cybersecurity event that compromises the integrity of nonpublic information or the continuing functionality of any aspect of the licensee’s business or operations. This risk assessment and information security program must occur by November 1, 2022.
In the event of a breach, licensees will need to comply with both the notification requirement under Wisconsin’s Insurance Data Security Law, as well as the existing Wisconsin Data Breach Notification Law, which applies more broadly to entities that conduct business in Wisconsin and maintain personal information in their ordinary course of business.
Under the broader statute, a disclosure is required to be made to consumers 45 days after learning of the unauthorized acquisition of nonpublic information. There is no requirement to notify a government agency or regulator. Under Wisconsin’s Insurance Data Security Law, however, licensees will be required to notify the commissioner no later than three business days from the determination of a cybersecurity incident, provided certain additional criteria are met. Entities that will need to comply with both co-existing laws should make note of this additional notification.
How Wisconsin’s Insurance Data Security Law Compares to the Insurance Data Security Model Law and New York’s Cybersecurity Regulations for Financial Services Companies
Wisconsin’s Insurance Data Security Law was based on the National Association of Insurance Commissioner’s Insurance Data Security Model Law (Model Law). The Model Law, in turn, was inspired by New York’s Cybersecurity Regulation (NY Regulation), which also applies to insurance entities. The chart below offers a high-level comparison of the different information security requirements under Wisconsin’s Insurance Data Security Law, the Model Law, and the NY Regulations.
|Requires a Risk Assessment||✓||✓||✓|
|Requires Implementation of an Information Security Program||✓||✓||✓|
|Requires an Incident Response Plan||✓||✓||✓|
|Requires Breach Notification||Must notify commissioner and consumer if applicable||Must notify commissioner||Must notify the superintendent|
|Timeline of Breach Notification to Commissioner||Three (3) business days||72 hours||72 hours|
|Requires Designating a Chief Information Security Officer||X||X||✓|
|Requires Data Minimization||✓||✓||✓|
Updating Incident Response Plans
In a year of increased data breaches, Wisconsin’s new law signifies the growing concern around data security. Wisconsin’s Insurance Data Security Law requires insurance companies to safeguard information that can identify consumers, implement reasonable safeguards to protect this information, and mandate disclosures in the event of a cybersecurity incident. Companies tracking breach notification requirements as part of their incident response plans, policies, and procedures should be prepared to update their materials to account for these new requirements, especially in light of the tight three-day deadline.
 In the event of a breach, licensees must notify the commissioner if (1) the licensee is domiciled in Wisconsin, and the event has a likelihood of materially harming a consumer or a material part of the normal operations of the license; or (2) if the event involves the nonpublic of at least 250 consumers and (a) the entity would be required to provide notice under a different regulatory scheme, state, or federal law, or (b) the cybersecurity event has a likelihood of materially harming a consumer or a material part of the normal operations of the licensee.