August 6, 2021
As information technology continues to rapidly advance, both businesses and individuals are becoming increasingly dependent on its offerings and advantages. Unfortunately, technological advances come hand-in-hand with the concerning reality of cybersecurity threats. In an effort to get out in front and protect potential victims of cybersecurity breaches, state legislatures are enacting new data security laws, Wisconsin being one of the latest to do so. Wisconsin’s new cybersecurity law was signed by Governor Tony Evers on July 15, 2021, and can be found in Wisconsin Statutes Subchapter IX of Chapter 601. Wisconsin joins approximately 15 other states that have adopted cybersecurity laws based on model National Association of Insurance Commissioners (“NAIC”) legislation. This new Act is aimed at protecting consumers from increasing risks of cybersecurity threats such as ransomware and data breaches from their insurers. Wisconsin insurers should immediately take steps to familiarize themselves with the new legislation and take action to become compliant.
Just One Year From November to Comply
The Act’s effective date is the beginning of the fourth month from the date of publication, which is November 1, 2021. Accordingly, many of the obligations imposed by the Act must be implemented by insurers by November 1, 2022.
The new law is a modified version of legislation originally proposed by the NAIC. Section 601.951 applies generally to “licensees,” which is defined as anyone licensed, authorized, or registered as an insurer in Wisconsin. Functionally, the law will require three main components from insurers.
What the New Law Requires
First, the law requires licensees to implement an information security program that protects nonpublic information, protects against security threats, and protects against unauthorized access to nonpublic information. Licensees have until November 2022 to implement this program.
Next, the law requires insurers to conduct a risk assessment and deal with any areas that may put their consumers’ data or the insurer’s information technology systems at risk.
Finally, the law requires insurers to implement an incident response plan and to provide notice to consumers affected by any future data breaches in a timely manner. The incident response plan is required to be in writing and must address specified items.
The Possibility of Insurance Investigations by WOCI
The law also gives the Wisconsin Office of the Commissioner of Insurance (WOCI) the power to examine and investigate any insurer to determine compliance with the law and to take necessary and appropriate action to enforce its provisions. Implementing the requirements of Wisconsin’s new law will undoubtedly come with a financial burden to insurers. However, given the potential catastrophic financial impact of a ransomware attack or data breach, Wisconsin insurers should strive to swiftly comply with the new law in order to reduce the adverse impacts of possible cybersecurity attacks. Beyond the financial implications, prompt compliance with Wisconsin’s new law is good business, as the goal of the law is to protect the customer – the insured.