Posts Tagged ‘cybersecurity’

Data Breach Prep: Mississippi

When a data breach occurs, it’s an intense, frightening moment. Who you ‘gonna call? Ghostbusters aren’t the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.

While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which Alliant National is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts – either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we’ve made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.

Understanding State Reporting Responsibilities

There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who “own” data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of Foley & Lardner. Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of Lewis & Brisbois

Now that we’ve discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don’t even fall under the category of such laws), and bulletins issued by insurance regulators.

State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:

  • Notification to affected state residents without unreasonable delay.
  • Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.

The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.

Consumer Reporting Agency Notification

For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:

Common Notification Requirements

Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state’s specific requirements. However, these laws generally include the following common notification components:

  • Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
  • Notification to affected state residents without unreasonable delay.
    • But if you’ve had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
  • Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred.
    *(for Alliant National Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)

MISSISSIPPI NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION  

Contact Information Pursuant to State Data Breach Notification Laws
Miss. Code § 75-24-29. Persons conducting business in Mississippi required to provide notice of a breach of security involving personal information to all affected individuals; enforcement. *(Miss. Code § 75-24-29 is the notification/reporting section).
 
No specified requirements for notice to attorney general or consumer reporting agencies.
 
If courtesy/optional notification is desired to be provided to attorney general, contact information is:
*Attorney General
550 High St.
Suite 1200
Jackson, MS 39205
(601) 359-3680
(601) 359-3680
Website: https://www.ms.gov/Agencies/attorney-general
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
Miss. Code s. 83-5-801, et seq., Insurance Data Security Law.  *(Miss. Code § 85-5-811 is the notification/reporting section).
 
Notify:
*Informational Cybersecurity Report webpage provided at https://www.mid.ms.gov/companies/cybersecurityreport.aspx from which to access form to Report a Cybersecurity Event; direct link to form available at  https://imaging.mid.ms.gov/frevvo/web/tn/tenant01/user/iDatixDesigner/app/_FVUrEJE4Eemh7KTijGnx-g/formtype/_CegWAJnrEemh7KTijGnx-g/popupform?&_formActionMethod=post&_formActionUrl=https%253a%252f%252fimaging.mid.ms.gov%252fPublicFormsService%252fCreateForm%253fsingle_use_token%253d1c6fa751-56d9-45f5-9c38-2b29673f785b%2526x-idatix-form-id%253d24%2526x-idatix-form-revision%253d130.
(Questions concerning the Insurance Data Security Law or the reporting of a cybersecurity event can be sent to cyberreporting@mid.ms.gov)

Data Breach Prep: Minnesota

When a data breach occurs, it’s an intense, frightening moment. Who you ‘gonna call? Ghostbusters aren’t the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.

While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which Alliant National is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts – either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we’ve made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.

Understanding State Reporting Responsibilities

There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who “own” data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of Foley & Lardner. Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of Lewis & Brisbois

Now that we’ve discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don’t even fall under the category of such laws), and bulletins issued by insurance regulators.

State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:

  • Notification to affected state residents without unreasonable delay.
  • Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.

The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.

Consumer Reporting Agency Notification

For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:

Common Notification Requirements

Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state’s specific requirements. However, these laws generally include the following common notification components:

  • Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
  • Notification to affected state residents without unreasonable delay.
    • But if you’ve had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
  • Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred.
    *(for Alliant National Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)

MINNESOTA NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION  

Contact Information Pursuant to State Data Breach Notification Laws
Minn. Stat. § 325E.61. DATA WAREHOUSES; NOTICE REQUIRED FOR CERTAIN DISCLOSURES. *(Minn. Stat. § 325E.61 is the notification/reporting section).
 
When breach affects > 500 residents, notify:
*Consumer Reporting Agencies
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
Minn. Stat. s. 60A.985, et seq., Information Security Program (which is akin to Insurance Data Security Law).  *( Minn. Stat. § 60A.9853 is the notification/reporting section).
 
Notify:
* Report a Cybersecurity Incident to the MN Dept. of Commerce (the insurance regulator) by filling out the online reporting form at https://c0dzk217.caspio.com/dp/97c73000fa2b637cf862436fb918; also accessible from informational webpage at https://mn.gov/commerce/insurance/industry/information-security/.

Data Breach Prep: Michigan

When a data breach occurs, it’s an intense, frightening moment. Who you ‘gonna call? Ghostbusters aren’t the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.

While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which Alliant National is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts – either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we’ve made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.

Understanding State Reporting Responsibilities

There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who “own” data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of Foley & Lardner. Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of Lewis & Brisbois

Now that we’ve discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don’t even fall under the category of such laws), and bulletins issued by insurance regulators.

State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:

  • Notification to affected state residents without unreasonable delay.
  • Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.

The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.

Consumer Reporting Agency Notification

For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:

Common Notification Requirements

Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state’s specific requirements. However, these laws generally include the following common notification components:

  • Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
  • Notification to affected state residents without unreasonable delay.
    • But if you’ve had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
  • Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred.
    *(for Alliant National Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)

MICHIGAN NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION  

Contact Information Pursuant to State Data Breach Notification Laws
Mich. Comp. Laws § 445.61, et seq., Identity Theft Protection Act. *(MCLS § 445.72 is the notification/reporting section).
 
When breach affects > 1,000 residents, notify:
*Consumer Reporting Agencies
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
MCLS s. 500.550, et seq., Michigan Insurance Data Security Law, with Michigan Dept.
of Insurance and Financial Services Bulletin 2021-32-INS. *(MCLS § 500.559 and §
500.561 are the notification/reporting sections).
 
 
Notify:
* Bulletin 2021-32-INS contains a link to a form: Notice of Cybersecurity Event (https://www.michigan.gov/-/media/Project/Websites/difs/Form/Insurance/Cybersecurity_Event/FIS_2359.pdf?rev=eb77d9c9e2d4498e99294fced893797c). 
The form must be completed and with its attachments should be submitted as a
single PDF document and sent via email to DIFS-Cybersecurityforms@Michigan.gov.

Data Breach Prep: Maryland

When a data breach occurs, it’s an intense, frightening moment. Who you ‘gonna call? Ghostbusters aren’t the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.

While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which Alliant National is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts – either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we’ve made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.

Understanding State Reporting Responsibilities

There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who “own” data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of Foley & Lardner. Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of Lewis & Brisbois

Now that we’ve discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don’t even fall under the category of such laws), and bulletins issued by insurance regulators.

State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:

  • Notification to affected state residents without unreasonable delay.
  • Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.

The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.

Consumer Reporting Agency Notification

For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:

Common Notification Requirements

Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state’s specific requirements. However, these laws generally include the following common notification components:

  • Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
  • Notification to affected state residents without unreasonable delay.
    • But if you’ve had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
  • Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred.
    *(for Alliant National Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)

MARYLAND NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION  

Contact Information Pursuant to State Data Breach Notification Laws
Md. Code Com. Law § 14-3501 et seq., Maryland Personal Information Protection Act. *(Md. Code Com. Law § 14-3504 and § 14-3506 are the notification/reporting sections).
 
Prior to giving the individual notification required under the law, provide notice of a breach to the attorney general:
*Attorney General notification requirements are disclosed on website at https://www.marylandattorneygeneral.gov/Pages/IdentityTheft/businessGL.aspx; send notice to the OAG by one of the following methods: (1) By Mail: Office of Attorney General, Attn: Security Breach Notification, 200 St. Paul Place, Baltimore, MD  2101; (2) By Fax: Attn: Security Breach Notification, (410) 576-6566; (3) By Email: Idtheft@oag.stat.md.us.
 
When breach affects > 1,000 residents, notify:
*Consumer Reporting Agencies
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
Md. Ins. Code § 33-101, et. seq., Insurance Data Security Law, with MIA Bulletin 22-13.  *(Md. Ins. Code § 33-105 is the notification/reporting section).
 
Notify:
* Access Maryland Cybersecurity Event Initial Notification Form at https://marylandinsurance.jotform.com/222405158165048

Data Breach Prep: Louisiana

When a data breach occurs, it’s an intense, frightening moment. Who you ‘gonna call? Ghostbusters aren’t the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.

While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which Alliant National is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts – either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we’ve made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.

Understanding State Reporting Responsibilities

There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who “own” data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of Foley & Lardner. Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of Lewis & Brisbois

Now that we’ve discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don’t even fall under the category of such laws), and bulletins issued by insurance regulators.

State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:

  • Notification to affected state residents without unreasonable delay.
  • Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.

The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.

Consumer Reporting Agency Notification

For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:

Common Notification Requirements

Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state’s specific requirements. However, these laws generally include the following common notification components:

  • Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
  • Notification to affected state residents without unreasonable delay.
    • But if you’ve had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
  • Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred.
    *(for Alliant National Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)

LOUISIANA NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION  

Contact Information Pursuant to State Data Breach Notification Laws
La. Rev. Stat. § 51:3071 et seq. *(La. R.S. § 51:3074 is the notification/reporting section).
La. Admin. Code tit. 16, § 701 (This is the section requiring reporting to the Attorney General’s office at the address provided below).
 
When breach affects any resident requiring a disclosure to that resident, then must also send written notification:
*By mail to Louisiana Department of Justice,
Office of the Attorney General,
Consumer Protection Section
1885 N. Third Street
Baton Rouge, LA 70802
(Information above copied from the administrative code, La. Admin. Code tit. 16, s. 701)
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
La. R.S. § 22:2501, et seq., Insurance Data Security Law.  *(La. R.S. § 22:2506 is the notification/reporting section).
 
Notify:
*Insurance Commissioner’s informational website is https://ldi.la.gov/industry/regulatory-forms/cybersecurity-event, which provides an access hyperlink to the Industry Access Portal at https://ia.ldi.state.la.us/industryaccess from which a report must be filed using the Cybersecurity Reporting Module within the Industry Access Portal.
Supplemental Information and updates, when available, must be provided via cyber.report@ldi.la.gov.

Let's Connect

Discover more stories and conversations on our social media networks,
or drop us a line on our contact page.


The Independent Underwriter for
the Independent AgentSM