N.H. Gets Insurance Data Security Law

Insurers have one year to comply with the law.
August 12, 2019

On August 2, 2019, New Hampshire Gov. Chris Sununu signed into law SB 194, which requires insurers licensed in the state to put in place data security programs and report cybersecurity events. Insurers have one year to comply with the law after Jan. 1, 2020, when the bill takes effect, and they have two years after that date to ensure their third-party vendors also comply.

Insurers and their vendors must install information security programs, protect non-public information, adopt an incident response plan, and notify the state insurance commissioner of a cybersecurity event within three business days of a determination that a cybersecurity event has occurred when the licensee is domiciled in New Hampshire, or if the cybersecurity event is reasonably believed to have affected at least 250 New Hampshire residents, among other criteria. Licensees also must maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event.

The state insurance commissioner may take “necessary or appropriate” action to enforce the new law, and violations can result in the suspension or revocation of a licensee’s certificate of authority or license or an administrative fine of up to $2,500 per violation.

Navigate in this section: