Missouri Adopts New Data Breach Notice Law for Insurers The 10 Things Insurers and Licensed Entities Need to Know Fisher Phillips JDSupra

pppAs cybersecurity threats escalate state legislatures across the country are tightening requirements for how insurance entities respond to data breaches and thanks to a new law just passed several weeks ago Missouri is getting in on the action On July 2 Missouris Governor approved House Bill 974 The Insurance Data Security Act which will establish standards for insurers and licensed entities regarding data security breach investigations and notification protocols when it takes effect on January 1 2026 What are the 10 things insurers and licensed entities need to know about this law and where does it fit into the national pictureppThe 10 Things Insurers and Licensed Entities Need to Know about the new Missouri LawppOverview of New LawppThe design objectives of this new law are topp1 Information Security Program RequirementsppEach licensee must develop and maintain a written information security program thatpp2 OversightppThe new law will assign responsibility to personnel or vendors who will be required to identify and assess threats both internal and external and then evaluate current safeguards across systems and training The law also creates an obligation to annually test key controls and systems for effectivenesspp3 Security MeasuresppThose covered under the law will need to implement security measures such as access controls encryption secure development and multifactor authentication as well as topp4 Governance and TrainingppCovered entities are required to include cybersecurity in their enterprise risk management program This includes staying informed on emerging threats and also providing cybersecurity awareness training to staffpp5 Board OversightppExecutive management must maintain the security program They must deliver annual written reports on status compliance and riskspp6 ThirdParty OversightppCovered entities need to not only exercise due diligence in vendor selection but require vendors to implement security measures to protect accessible datapp7 Incident Response PlanppEach licensee must develop a plan topp8 Investigation RequirementsppWhen a licensee learns of a possible cybersecurity event it must promptlyppIf the breach involves a thirdparty provider the licensee must either complete the investigation itself or confirm the provider has done so Finally licensees must maintain records of cybersecurity events for three years and produce them upon request from the Missouri Director of the Department of Commerce and Insurancepp9 Notification RequirementsppLicensees must notify the Insurance Director within four business days when a cybersecurity event involving nonpublic information has occurred when eitherpp10 Special Cases and ThirdParty EventsppIf a thirdparty service providers system is breached the licensee must treat it as its own incident The notification deadlines start when the licensee is notified or becomes aware and agreements between parties may delegate investigation and notification dutiesppNational Trends and Comparative InsightsppppMissouri will join 32 other states and Puerto Rico with DOI specific notice requirements a clear signal of the growing momentum behind stricter cybersecurity regulations across the US for insurance entities Further there is also pending legislation in IdahoppThe majority of these states along with Missouri utilize the National Association of Insurance Commissioners NAIC Insurance Data Security Model Law The model laws key provisions areppCore RequirementsppCybersecurity Event ResponseppRegulatory AuthorityppThese DOI requirements are separate and in addition to the existing data breach statute requirements in all states but they raise the bar significantly What sets them apart Accelerated reporting timelines more stringent compliance standards and a broader definition of nonpublic information that goes beyond most states definitions of personally identifiable informationppSee more ppDISCLAIMER Because of the generality of this update the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations
Attorney Advertisingpp
Fisher Phillips
var today new Date var yyyy todaygetFullYeardocumentwriteyyyy
ppRefine your interests ppBack to TopppExplore 2025 Readers Choice AwardsppCopyright var today new Date var yyyy todaygetFullYeardocumentwriteyyyy JD Supra LLCp