New Hampshire Governor Chris Sununu signed into law a data security measure that established standards for the state’s insurance industry in terms of data protection, investigation of cybersecurity events, and notification procedures. The law will take effect on January 1, 2020.

Linn Foster Freedman filed this report published in Data and Privacy Security Insider:

The law requires insurance companies to implement an Information Security Program (ISP) that contains administrative, technical and physical safeguards to protect non-public information and includes a security risk assessment. The ISP must include:

• a program to manage the threats identified in the risk assessment, including encryption and multi-factor authentication;
• cybersecurity awareness training;
• due diligence in hiring third parties and requiring those third parties to implement security measures; and
• an incident response plan.

Licensees are required to investigate cybersecurity events, and notify the Commissioner within three days “of a determination that a cybersecurity event has occurred,” defined to mean, actual knowledge that the event occurred. Insurance companies are required to provide the Commissioner with a copy of any notification letter that is sent to any consumers under the New Hampshire data breach notification law.

The Commissioner has the right to investigate any cybersecurity event of a licensee to determine if it has been in violation of the law, and “may take action that is necessary or appropriate to enforce the provisions of the law.”