On August 2, 2019, New Hampshire passed Senate Bill 194 implementing insurance data security requirements by adding RSA 420-P:1 et seq. to the New Hampshire Code. The bill requires licensees to implement procedures to meet certain standards of data security, investigate a cybersecurity event, and notify the Commissioner.
Under SB 194, each licensee shall perform a risk assessment to identify foreseeable threats that could lead to a cybersecurity event. Following that assessment, licensees must create an information security program, tailoring it to its risk assessment while also considering its size and complexity, nature and scope of its activities (including the use of third-party services), and the sensitivity of the nonpublic information in the licensee’s possession. If a company is in compliance with the NYDFS Cybersecurity Regulations, NH will deem that company compliant with its requirements.
New Hampshire’s data privacy initiative comes on the heels of Connecticut and Delaware passing similar legislation on July 26 and July 30, respectively. Delaware’s compliance deadline comes first on July 31, 2020, followed by Connecticut on October 1, 2020. Lastly, New Hampshire’s compliance deadline is on January 1, 2021. Both NH and DE have adopted variants of the NAIC Model law whereas CT has chosen to follow the NYDFS Cybersecurity Regulations. What this means for those insurers writing across state lines is that they will need to ensure that their cybersecurity plans comply with each states separate requirements.
For any questions about NH Senate Bill 194, or any other states data security requirements, please contact Westmont Associates, Inc.