Entities that collect Wisconsin residents’ personal information and are licensed, registered, or authorized (licensee) with the Office of the Commissioner of Insurance (commissioner) will have to abide by a new data security law (Wisconsin’s Insurance Data Security Law), which came into force on November 1. This bill had previously been introduced in the 2019-2020 legislative session and was passed by the assembly before COVID-19 shortened the legislative session. It was then reintroduced this year. Natalie White, the communications director for the Professional Insurance Agents of Wisconsin, Inc. (PIA), noted that an increase in cyberattacks necessitated a standard at the state level. Lawmakers worked with PIA to develop the bill.

Information Security Requirements

Wisconsin’s Insurance Data Security Law now requires licensees to take steps to protect nonpublic information, conduct risk assessments, and develop an information security protection plan. “Nonpublic information” is limited in scope and is defined as electronic information that can be used to identify a consumer, such as Social Security numbers, financial accounts, and biometric information.

Wisconsin’s Insurance Data Security Law will require applicable entities to conduct a risk assessment and then develop an information security program based on that assessment. This risk assessment must identify and assess reasonably foreseeable threats that could result in unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information. Entities that already maintain an information security program that is compliant with certain federal regulations, such as the Gramm Leach Bliley Act or the Health Information Portability and Accountability Act, are exempt from this statute.

After the risk assessment, licensees must develop an information security program that contains administrative, technical, and physical safeguards. These safeguards must (1) protect against threats to the security and integrity of the information systems and nonpublic information, (2) protect against unauthorized access and use of nonpublic information, and (3) establish a data retention policy that includes a schedule for reevaluation and destruction of nonpublic information. Moreover, licensees must develop an incident response plan (IRP). An IRP allows a licensee to promptly respond to, and recover from, a cybersecurity event that compromises the integrity of nonpublic information or the continuing functionality of any aspect of the licensee’s business or operations. This risk assessment and information security program must occur by November 1, 2022.

Notice Requirements

In the event of a breach, licensees will need to comply with both the notification requirement under Wisconsin’s Insurance Data Security Law, as well as the existing Wisconsin Data Breach Notification Law, which applies more broadly to entities that conduct business in Wisconsin and maintain personal information in their ordinary course of business.

Under the broader statute, a disclosure is required to be made to consumers 45 days after learning of the unauthorized acquisition of nonpublic information. There is no requirement to notify a government agency or regulator. Under Wisconsin’s Insurance Data Security Law, however, licensees will be required to notify the commissioner no later than three business days from the determination of a cybersecurity incident, provided certain additional criteria are met.[1] Entities that will need to comply with both co-existing laws should make note of this additional notification.

How Wisconsin’s Insurance Data Security Law Compares to the Insurance Data Security Model Law and New York’s Cybersecurity Regulations for Financial Services Companies

Wisconsin’s Insurance Data Security Law was based on the National Association of Insurance Commissioner’s Insurance Data Security Model Law (Model Law). The Model Law, in turn, was inspired by New York’s Cybersecurity Regulation (NY Regulation), which also applies to insurance entities. The chart below offers a high-level comparison of the different information security requirements under Wisconsin’s Insurance Data Security Law, the Model Law, and the NY Regulations.

Principle Wisconsin’s Insurance
Data Law
Model Insurance
Law
NY Regulation
Requires a Risk Assessment
Requires Implementation of an Information Security Program
Requires an Incident Response Plan
Requires Breach Notification Must notify commissioner and consumer if applicable Must notify commissioner Must notify the superintendent
Timeline of Breach Notification to Commissioner Three (3) business days 72 hours 72 hours
Requires Designating a Chief Information Security Officer X X
Requires Data Minimization

Updating Incident Response Plans

In a year of increased data breaches, Wisconsin’s new law signifies the growing concern around data security. Wisconsin’s Insurance Data Security Law requires insurance companies to safeguard information that can identify consumers, implement reasonable safeguards to protect this information, and mandate disclosures in the event of a cybersecurity incident. Companies tracking breach notification requirements as part of their incident response plans, policies, and procedures should be prepared to update their materials to account for these new requirements, especially in light of the tight three-day deadline.

 


 

[1] In the event of a breach, licensees must notify the commissioner if (1) the licensee is domiciled in Wisconsin, and the event has a likelihood of materially harming a consumer or a material part of the normal operations of the license; or (2) if the event involves the nonpublic of at least 250 consumers and (a) the entity would be required to provide notice under a different regulatory scheme, state, or federal law, or (b) the cybersecurity event has a likelihood of materially harming a consumer or a material part of the normal operations of the licensee.