Cyber Security & Your Insurance Information

Almost everyone has some kind of insurance policy covering everything from their possessions, health, loss of income, or life. We depend on it to protect our financial well-being. And, we depend on those we trust with our personal insurance information to ensure it remains secure.

Recent reports of cyber-attacks and personal information being released illustrate we are all vulnerable to having our personal data stolen. Modern society relies on so many aspects of cyber infrastructure, data storage, and transmission in the insurance marketplace. 

I co-authored Assembly Bill 147/Senate Bill 160 with Senator Patrick Testin (R) Stevens Point, which creates data security measures for insurance in order to prevent and/or mitigate the potential damage of a data breach.  The law applies to insurers, insurance agents, and other entities licensed by the Wisconsin Office of the Commissioner of Insurance.

Under the bill, a licensee must conduct a risk assessment. The risk assessment must identify and analyze foreseeable threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of non-public information.

An analysis by the nonpartisan Legislative Reference Bureau states: “the bill defines “nonpublic information” to mean nonpublic electronic information in the possession, custody, or control of a licensee that is either information concerning a Wisconsin resident that can be used to identify the individual in combination with another data element, such as a Social Security number, or certain health-related information that can be used to identify a Wisconsin resident.”

Based on their individual risk assessment, each licensee or third party provider shall develop, implement, and maintain a comprehensive written information security program. Included within each individual security program will be administrative, technical, and physical safeguards for the external and internal protection of nonpublic information and the licensee’s information system.

Additionally, individual plans must define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when the information is no longer needed.

To certify they are in compliance with the requirements set forth in the bill, an annual written statement will be required from each insurer domiciled in Wisconsin and submitted to the Insurance Commissioner by March 1^st of each year. If an insurer identifies areas, systems or processes that require material improvement, updating or redesign, it will be required to document the identification and the remedial efforts to address them. Their documentation must be available for inspection by the Commissioner of Insurance.

The Legislative Reference Bureau’s analysis additionally stated: “The bill also requires that a licensee develop an incident response plan to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information, the licensee’s information systems, or the continuing functionality of the licensee’s business or operations.”

As vice-chair of the Assembly Committee on Insurance, I’ve been working with the Wisconsin insurance industry for the last 3 years in drafting Wisconsin’s redline version of the National Association of Insurance Commissioners Data Security Model Law. Supporting the bill is a vast coalition including: Wisconsin Insurance Alliance, Wisconsin Council of Life Insurers, Professional Insurance Agents, Independent Insurance Agents, National Association Independent Financial Advisors, American Health Insurance Plans, Alliance of Health Insurers, and Office of the Commissioner of Insurance in both Governor Walker’s and Governor Evers’ administrations.

Wisconsin’s home to 335 domiciled insurance companies, employing about 82,000 people, including over 37,000 agents. Senate Bill 160/Assembly Bill 147 which I co-authored with Senator Patrick Testin (R) Stevens Point, creates data security measures for insurance that protects you and your personal information collected by the insurance industry. On July 15, 2021 Governor Evers signed the bill into law.