New Ohio Cyber Insurance Law Effective March 20
Ohio recently followed South Carolina as the second state to adopt cybersecurity legislation modeled after the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The Ohio law, Senate Bill 273, became effective on March 20, 2019. Similar to the NAIC model, Ohio’s law requires insurance providers to take several steps to protect personal information, such as conducting risk assessments and having a written information security program and incident response plan. The law also impacts how companies select third-party service providers and requires certification of compliance annually.
Like the NAIC model and the rest of its progeny, the Ohio law applies to people required to be registered or licensed under Ohio insurance law, making the law applicable to insurance companies, agents, and brokers, among others. (Reinsurers and risk retention groups chartered and licensed in other states are exempted from the Ohio law.) “Licensees” have one year from the date of passage to comply with the new requirements, while third-party service providers will have two years.