Wisconsin Insurance Data Security Law

Licensees

Applies to a “licensee”, defined as a person licensed, authorized to operate, or registered, or a person required to be licensed, authorized, or registered under Wisconsin insurance laws.

Risk retention groups chartered and licensed in another state and insurers acting as an assuming insurer domiciled in another state are exempt from the definition of licensee.

Security Standard under the Insurance Data Security Law

Licensees must conduct a risk assessment and based on the risk assessment, develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards to protect the licensee’s information systems and nonpublic information.

The comprehensive written information security program must be designed to do all of the following:

• Protect against any threats or hazards to the security or integrity of nonpublic information and the information system;
• Protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to any consumer; and
• Establish and periodically reevaluate a schedule for retention and disposal of nonpublic information and establish a mechanism for the destruction of nonpublic information that is no longer needed.

Exemption: Licensees who meet any of the following criteria are not required to  develop, implement, or maintain a comprehensive written information security program:

1. Has less than $10,000,000 in year-end total assets.
2. Has less than $5,000,000 in gross annual revenue.
3. Has fewer than 50 employees, including independent contractors, who work at least 30 hours a week for the licensee.

Type of Data Covered

Electronic.

Definitions

“Consumer” means an individual who is a resident of Wisconsin and whose nonpublic information is in the possession, custody, or control of a licensee.

“Cybersecurity event” means an event resulting in the unauthorized access to, or disruption or misuse of, an information system or the nonpublic information stored on an information system, except that a “cybersecurity event” does not include any of the following:

• The unauthorized acquisition of encrypted nonpublic information if the encryption process or key is not also acquired, released, or used without authorization.
• The unauthorized acquisition of nonpublic information if the licensee determines that the nonpublic information has not been used or released and has been returned to the licensee or destroyed.

“Nonpublic information” means electronic information in the possession, custody, or control of a licensee that is not publicly available information and is any of the following:

• Information concerning a consumer that can be used to identify the consumer, in combination with at least one of the following data elements:
  1. Social security number.
  2. Driver’s license number or nondriver identification card number.
  3. Financial account number or credit or debit card number.
  4. Security code, access code, or password that permits access to a financial account.
  5. Biometric records.
• Information or data, other than information or data regarding age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify the consumer and that relates to any of the following:
  1. The physical, mental, or behavioral health or condition of the consumer or a member of the consumer’s family.
  2. The provision of health care to the consumer.
  3. Payment for the provision of health care to the consumer.

Methods of Compliance

Risk Assessment

As part of the risk assessment, a licensee must:

• Designate at least one employee, affiliate, or outside vendor as responsible for the information security program.
• Identify reasonably foreseeable internal and external threats that could result in unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including nonpublic information that is accessible to or held by third-party service providers;
• Assess the likelihood and potential damage of identified threats, taking into consideration the sensitivity of the nonpublic information;
• Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage identified threats, including consideration of threats in each relevant area of the licensee’s operations, including all of the following:

• Employee training and management;
• Information systems, including information classification, governance, processing, storage, transmission, and disposal; and
• Processes for detecting, preventing, and responding to attacks, intrusions, or other systems failures.

Methods of Compliance Continued

Written Information Security Program

Based on the risk assessment, a licensee must:

• Design an information security program to mitigate the identified risks, commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers and the sensitivity of the nonpublic information;
• Implement the following security measures that the licensee determines are appropriate:

• Place access controls on information systems;
• Identify and manage the data, personnel, devices, systems, and  facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization’s risk strategy;
• Restrict physical access to nonpublic information to authorized individuals;
• Protect by encryption or other appropriate means all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media;
• Adopt secure development practices for in-house developed applications used by the licensee and procedures for evaluating, assessing, or testing the security of externally developed applications used by the licensee;
• Modify the information system in accordance with the licensee’s information security program;
• Use effective controls, which may include multifactor authentication procedures, for employees accessing nonpublic information;
• Regularly test and monitor systems and procedures to detect actual and attempted attacks on or intrusions into information systems;

Methods of Compliance Continued

• Include audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee;
• Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures;
• Develop, implement, and maintain procedures for the secure disposal of nonpublic information in any format.

• Stay informed regarding emerging threats or vulnerabilities and implement safeguards to manage the threats and vulnerabilities.
• No less than annually, assess the effectiveness of security safeguards, including key controls, systems, and procedures.
• Include cybersecurity risks in the licensee’s enterprise risk management process.
• Use reasonable security measures when sharing information relative to the character of the sharing and the type of information shared.
• Provide personnel with cybersecurity awareness training that is updated as necessary.

Adjustments to Written Information Security Program

• Licensees must monitor, evaluate, and adjust, as appropriate, the information security program consistent with any relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to information, and the licensee’s own changing business arrangements, outsourcing arrangements, and changes to information systems.
• If areas, systems, or processes that require material improvement, updating, or redesign are identified, licensee must document its identification and remedial efforts.
• Licensees must maintain the documentation for at least five (5) years starting from the date the documentation was created, and must produce the documentation upon demand of the Insurance Commissioner.

Methods of Compliance Continued

Incident Response Plan

Licensees must establish, as part of its written information security program, a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s business or operations.

The Incident Response Plan must include all of the following:

• The goals of the incident response plan;
• The internal process for responding to a cybersecurity event;
• The identification of clear roles, responsibilities, and levels of decision-making authority during and immediately following a cybersecurity event;
• The external and internal communications and information sharing;
• Requirements for the remediation of any identified weaknesses in information systems and associated controls;
• The documentation and reporting of cybersecurity events and related incident response activities; and
• The evaluation and revision of the incident response plan, as necessary, following a cybersecurity event.

Oversight of Third-Party Service Providers

Licensees must exercise due diligence in selecting a third-party service provider and make reasonable efforts to require third-party service providers to:

• Implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to or held by the third-party service provider; and
• Report a cybersecurity event in accordance with the Wisconsin Insurance Data Security Law.

Methods of Compliance Continued

Oversight by a Board of Directors

If a licensee has a board of directors, the board or an appropriate committee of the board must, at a minimum, do all of the following:

• Require the licensee’s executive management or its delegates to develop, implement, and maintain the licensee’s information security program.
• Oversee the development, implementation, and maintenance of the information security program.
• Require the licensee’s executive management or its delegates to report annually, all of the following information:

• The overall status of the information security program and the licensee’s compliance with statutory requirements.
• Material matters relating to the information security program, including issues relating to risk assessment, risk management and control decisions, third-party service provider arrangements, and security testing.
• Recommendations for modifications to the information security program.

Certification of Compliance: 

• A licensee domiciled in Wisconsin must submit to the Insurance Commissioner no later than March 1 of each year a written certification that it is compliant with the requirements outline above.
• If a licensee no longer qualifies for the exemption, it must comply with the requirements no later than 180 days after the date it ceases to qualify.
• Licensees must maintain all records, schedules, and data supporting the certification for five (5) years and must produce the records, schedules, and data upon demand of the Insurance Commissioner.

Duty to Investigate Cybersecurity Events

If a licensee learns that a cybersecurity event involving the licensee's information systems or nonpublic information has or may have occurred, the licensee, or an outside vendor or service provider designated to act on behalf of the licensee, must conduct a prompt investigation that includes the following:

• An assessment of the nature and scope of the cybersecurity event.
• The identification of any nonpublic information that was or may have been involved in the cybersecurity event.
• The performance of reasonable measures to restore the security of the licensee’s information systems compromised in the cybersecurity event and prevent additional unauthorized acquisition, release, or use of nonpublic information.

If a licensee knows that a cybersecurity event has or may have occurred in an information system maintained by a third-party service provider, the licensee must conduct an investigation as outlined above or make reasonable efforts to confirm and document that the third-party service provider has either completed the investigation or failed to cooperate with the investigation.

Licensees must maintain records concerning a cybersecurity event for a period of five (5) years starting from the date of the cybersecurity event and must produce the records upon demand of the Insurance Commissioner.

Commissioner Notice Requirements

A licensee must notify the Insurance Commissioner that a cybersecurity event involving nonpublic information has occurred if any of the following conditions is met:

1. The licensee is domiciled in Wisconsin and the cybersecurity event has a reasonable likelihood of materially harming a consumer or a material part of the normal operations of the licensee.
2. The licensee reasonably believes that the cybersecurity event involves the nonpublic information of at least 250 consumers residing in Wisconsin and:

• Notice is required to be provided to a government body, self-regulatory agency, or other supervisory entity under state or federal law.
• There is a reasonable likelihood of materially harming a consumer or a material part of the normal operations of the licensee.

Commissioner Notice Requirements Continued

Timing:

A licensee shall provide the notification as promptly as possible, but no later than three (3) business days from the determination that the cybersecurity event occurred.

Contents:

The licensee shall provide as much of the following information as possible:

• The date and source of the cybersecurity event and the time period during which information systems were compromised by the cybersecurity event.
• A description of how the cybersecurity event was discovered.
• A description of how the nonpublic information was exposed, lost, stolen, or breached and an explanation of how the information has been, or is in the process of being, recovered.
• A description of the specific data elements, including types of medical, financial, and personally identifiable information, that were acquired without authorization.
• The number of consumers affected by the cybersecurity event.
• A description of efforts to address the circumstances that allowed the cybersecurity event to occur.
• The results of any internal review related to the cybersecurity event, including the identification of a lapse in automated controls or internal procedures.
• Whether the licensee notified a government body, self-regulatory agency, or other supervisory licensee of the cybersecurity event and, if applicable, the date the notification was provided.
• A copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take, or has taken, to investigate and notify consumers affected by the cybersecurity event.
• The name of a contact person who is familiar with the cybersecurity event and authorized to act for the licensee.

The licensee is required to update and supplement the information provided to address material changes to the information as additional information becomes available.

Method:

In electronic form, as directed by the Commissioner.

Consumer Notification Requirements

If a licensee knows that nonpublic information of a consumer in the licensee’s possession has been acquired by a person whom the licensee has not authorized to acquire the nonpublic information, the licensee must make reasonable efforts to notify each consumer who is of the nonpublic information.

Timing:

Notice must occur within a reasonable time, not to exceed 45 days after the licensee learns of the acquisition of nonpublic information. A determination as to reasonableness includes consideration of the number of notices that the licensee must provide and the methods of communication available to the licensee.

Contents:

The notice shall indicate that the licensee knows of the unauthorized acquisition of nonpublic information pertaining to consumer.

Upon written request by a consumer who has received a notice, the licensee that provided the notice must identify the nonpublic information that was acquired.

Method:

Notice is required by mail or by a method the licensee has previously employed to communicate with the consumer who is the of the nonpublic information. If a licensee cannot with reasonable diligence determine the mailing address, and if the licensee has not previously communicated with the of the nonpublic information, the licensee shall provide notice by a method reasonably calculated to provide actual notice.

Consumer Reporting Agencies Notification Requirement

If a licensee is required to notify 1,000 or more Wisconsin residents, the licensee must notify all consumer reporting agencies without unreasonable delay of the timing, distribution, and content of the notices sent to the consumers.

Exceptions to Notice Requirement

Notification to consumers and consumer reporting agencies is not required if:

• The acquisition of nonpublic information does not create a material risk of identity theft or fraud to the individual; or
• The nonpublic information was acquired in good faith by an employee or agent of the licensee and is used for a lawful purpose.

These exceptions do not affect the requirement to notify the Insurance Commissioner.

Enforcement

The Insurance Commissioner may investigate licensees to determine whether the licensee has engaged in any violations and take any action that is necessary or appropriate to enforce the requirements under this statute.