Per the 2007 Massachusetts Data Breach Notification Law, the Massachusetts Attorney General needs to be notified by mail by any company storing MA residents’ personal data if this data is compromised or breached in any way. Massachusetts has now extended this by adding a data breach reporting portal. The MA law is much less extensive than the NY State Cybersecurity law.
The new MA portal highlights the need for insurance carriers to keep up with regulatory changes not just from state insurance regulators, but also general state data and financial service regulations that apply to any type of firm. The reporting requirements are different from state to state, as are the penalties for not complying. NY recently extended their regulations to credit reporting agencies because of the Equifax breach. MA had an enforcement action toward Equifax in late 2017 under their data breach notification law.
We are seeing an increased focus on data: How data is categorized, stored, governed, secured, and reported drives a firm’s ability to avoid data breaches. Insurers need a CISO who owns the security practice and programs. Additionally, carriers will need someone who owns data at an enterprise level (possibly a Chief Data Officer) to ensure effective data governance. The CDO and CISO should be working together to avoid data breaches, detect when breaches do happen, remediate the situation effectively, and report breaches in a timely way that complies with each state’s regulations. In MA, the new portal will help with timely reporting of breaches.
As we have mentioned in the past, security risk, including the risk of data breaches, puts the firm’s reputation and the careers of C-level executives at risk, all the way up to the CEO. Insurance carriers can no longer avoid dealing with security and data challenges.