There was a time when the internet was like the wild west. The commonly held perception was that data was irrelevant to the bottom line and to the mitigation of risk. Just as NBA players began to shoot more three-point shots, enterprises started to realize that their data was their very existence. Used correctly, data has the ability to exponentially increase profitability and optimize customer experience and retention. Used incorrectly, data can cause massive losses to a business’s bottom line and its reputation.
According to recent media reports, people and businesses can be inundated with tragic updates of data breaches. A few significant breaches that come to mind are those experienced by Capital One, The Marriott, and Quora. A recent Netflix release covering the Cambridge Analytica scandal, titled “The Great Hack,” officially has cemented data security in the public consciousness. It’s only a matter of time until federal legislation is enacted to alleviate consumer and enterprise risk. Simply look to the European Union’s GDPR for an example of federal legislation focused on defining best practices for remaining secure with regards to data. While the United States has yet to pass data security laws at the federal level, at the state level, industry-specific legislation already has been enacted in certain states.
NAIC Data Security Law
One industry that has proactively worked to standardize data security is the insurance industry. Such firms handle highly confidential financial records, including that of individual citizens. Data breaches involving insurance companies and credit unions are therefore not only a risk to company earnings, they’re a direct threat to consumer privacy. This notion unfortunately gained international notice in the wake of the devastating Equifax data breach of 2017. Equifax’s data breach compromised sensitive personal data of 148 million Americans, resulting in the company having to pay $700 million in a settlement.
Within the American insurance industry, the National Association of Insurance Commissioners, NAIC, is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from all U.S. states. The NAIC introduced a comprehensive law, the NAIC Insurance Data Security Model Law, in late 2017, giving individual states the prerogative to elect if they’d like to employ the legislation. Thus far, four states have chosen to pass this legislation, including Michigan. Michigan enacted the NAIC Insurance Data Security Model Law as House Bill No. 6491 on Dec. 28, 2018. This legislation comes into effect on Jan. 20, 2021, with compliance required by Jan. 20, 2022.
Network vs. Database Security
In conversations I’ve had with companies regarding their security measures, I’ve learned that the general approach to enterprise security is flawed. This execution gap lies in the discrepancy between security at the network and the database level. Network security is essentially a fence that prohibits unauthorized access into a computer network and the network-accessible resources through encryption. This is an important measure in creating a secure environment, but it leaves major vulnerabilities that can be exploited. Namely, what is being done to protect the information if an actor were to gain access to the environment?
For simplicity sake, I’ll use a football analogy to make this topic more relatable. The Detroit Lions’ offense revolves around star quarterback Matthew Stafford, a player they pay $27 million annually to perform at the highest level. With this in mind, it yields to reason that a key focus of the team would be protecting this investment and ensuring Stafford remains healthy and productive. Network security in this example would be the Lions’ offensive line, a unit tasked with preventing unwanted actors from accessing their mission-critical investment. What would happen if a defender manages to break through the Lions’ protection though? Do the Lions simply hope this never happens without further safety measures? Of course not.
The Lions attempt to make it as difficult as possible for defenders to harm their quarterback by giving him pads to ensure if he is accessed, damage is mitigated. Furthermore, the Lions’ offense implements strategies to confuse the defense, including play action to obstruct the defense’s ability to locate Stafford. This is basically the exact same value database security provides enterprises with technologies including database encryption, data masking, and data redaction.
In order to truly create a secure environment, companies can not only worry about preventing actors from getting in. Companies must ensure that even if actors do get in, measures are in place preventing harmful exploitation. To remain in compliance with Michigan’s NAIC Data Security Model Law, enterprises must leverage both network and database encryption with a comprehensive and holistic approach or solution.
1) Who does this law concern?
This NAIC Insurance Data Security Model Law applies to “Licensees,” defined as: “any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a Licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.”
- Insurance carriers of all sizes
- Individuals providing insurance-related services
- Firms including agency and brokerage businesses
- Insurance companies
- Companies that are not typically considered to be in the insurance industry but offer insurance packages as a component of their business are covered by this law, including car rental companies, travel agencies, etc.
Not included: Licensees with fewer than 10 employees
2) When does this law take effect?
Michigan formally passed House Bill No. 6491 on Dec. 28, 2018. The law becomes effective on Jan. 20, 2021, with licensees having until Jan. 20, 2022 to implement these changes.
3) What are the requirements of this law?
- Yearly Security Risk Assessments
- Breach notification within 10 days after discovery
- Implementation of an information security program based off the results of the Security Risk Assessment
- Designate one or more employees, an affiliate, or an outside vendor to be responsible for the information security program
- Place authentication controls to restrict access on information systems holding nonpublic information
- Restrict access at physical locations containing nonpublic information
- Encrypt nonpublic information being transmitted over an external network and being stored on portable devices
- Adapt secure in-house development practices and evaluate the security of externally developed applications
- Develop, implement, and maintain procedures for the secure disposal of nonpublic information
- Implement measures to protect against threat to nonpublic information from environmental hazards
- Include audit trails within the information security program to detect cybersecurity events
- Regularly test and monitor systems and procedures
- Create a written incidence response plan designed to recover from a cybersecurity event
Josh Levine is an account executive at Oracle (Michigan), where he leverages the company’s market-leading database, middleware, and business intelligence platforms to help companies turn their high growth into sustained excellence.