The administration of Gov.
State Commerce Commissioner
The announcement comes less than a week after the
"We see the stories every day that companies are under attack from a variety of sources, whether they are individual hackers or government-sponsored intrusions. Consumers, and information held by insurance companies and related licensees, are always under attack," Kelley said. "So it is appropriate to take common-sense steps to increase the protections against cybersecurity as well as other kinds of threats to protect the information of consumers."
With Walz' support, Kelley said he will bring forward legislation in February to have
The model law was drafted in 2017 by the
The national insurance group said the push for a model law was prompted in 2016 by a string of cybersecurity breaches of sensitive personal information about millions of insurance customers. The nation's largest breach of health care data, affecting 78.8 million Americans (including 11,000 in
"State adoption of the model [law] is critical for state insurance regulators to have the tools they need to better protect sensitive consumer information," the NAIC said this month in a fact sheet about the law.
Unlike other types of insurance companies, health insurers must already comply with the federal data-privacy law commonly known as HIPAA, which requires covered entities like insurers, hospitals and their contractors to regularly scan their networks for security vulnerabilities and to remediate them, either by installing security patches or taking other steps to protect computer systems from unauthorized access.
Kelley noted that the model state law exempts HIPAA-compliant health insurance companies from the requirement to develop and maintain a risk-based cybersecurity program, including having a designated employee in charge of their program. Other types of insurers not covered by HIPAA would have to follow that aspect of the state law.
But the new law would give Kelley's office the ability to examine insurance companies' risk assessments and emergency-response plans. It would also require all insurers to notify his office, and well as state residents, if they detect a breach of sensitive data from their systems.
Identity thieves can use stolen personal information to harass victims or commit financial fraud, and health care data is among the sought-after information on the criminal black market. But Kelley said data breaches are a "big deal" to consumers even if they don't lead directly to harassment or fraud. For example, such data can be used to illegally discriminate against people because of health status or other sensitive details.
"One of the challenges in this modern age is this ability of data-rich companies to draw connections among disparate pieces of data, even if they don't have the whole thing," Kelley said.
(c)2019 the Star Tribune (Minneapolis)
Visit the Star Tribune (Minneapolis) at www.startribune.com
Distributed by Tribune Content Agency, LLC.