Wisconsin Adopts New Insurance Cybersecurity Law

Hinshaw summer associate Andrew C. Clausen contributed to the research and drafting of this alert.

On July 15, 2021, Wisconsin Governor Tony Evers signed Act 73 (Act) into law, making Wisconsin the latest state to adopt the National Association of Insurance Commissioner's (NAIC) model cybersecurity law. Most recently, Iowa adopted a version of the model law on April 30, 2021

The Act establishes investigation procedures, data security program standards, and notification requirements for anyone licensed by Wisconsin's Office of the Commissioner of Insurance (licensees), including insurers and agents. Exempt from compliance are licensees with fewer than 50 employees, less than $10 million in total year-end assets, or less than $5 million in gross annual revenue. Other exemptions apply for licensees who are already in compliance with federal guidelines for depository institutions, HIPAA, and the federal Farm Credit Administration.

Under the Act, licensees must develop and implement a security program that contains administrative, technical, and physical safeguards to protect the licensee's information systems and nonpublic information. Based on the outcome of a required risk assessment, the security program designed must take into account the:

• Size and complexity of the licensee;
• Nature and scope of the licensee's activities, including its use of third-party service providers, and;
• Sensitivity of the nonpublic information.

As a key component of their security program, licensees must also draft a written incident response plan to respond to promptly, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information; the licensee's information systems; or the continuing functionality of any aspect of the licensee's business or operations. The response plan must address things such as the: 

• Internal process for responding to a cybersecurity event;
• Roles, duties, and decision-making authority of those responding to such an event;
• Requirements for the remediation of identified weaknesses in the information systems; and
• Evaluation and revision of the incident response plan following a cybersecurity event.

The Act also mandates oversight by a licensee's board of directors or an appropriate board committee, as well as at least annual written reports to the board concerning the overall status of the licensee's information security program and compliance with the Act. Beginning in 2023, licensees based in the state will be required to submit an annual written certification of compliance to the Commissioner of Insurance (Commissioner) before March 1. The licensee must maintain all records, schedules, and data supporting the certification for at least five years.

Suppose a licensee resided in the state experiences a cybersecurity event that has a reasonable likelihood of materially harming a consumer or the normal operations of the licensee. In that case, the Commissioner must be notified within three business days of the event. The notice should include as much information as possible about the event—including the nature of the information exposed or breached and the number of consumers affected.

Consumers may also need to be notified within 45 days if the licensee knows that a consumer's nonpublic information in their possession has been acquired by someone without authorization. If the event involves 1000 or more consumers, the licensee may also be obligated to notify the various credit reporting agencies.

Enforcement of the Act is exclusive to the Commissioner, who also has investigative authority. Although the Act does not provide for a private cause of action, it is also not meant to curtail a private cause of action that would otherwise exist in the absence of this law. The Act goes into effect on November 1, 2022.