24 May 2021Law & regulation

Tennessee passes insurance data security law to address growing cyber threat

Tennessee Governor Bill Lee has signed the Insurance Data Security Law that will give buyers of insurance in the state new protections for their personal, medical and financial information.

The law toughens existing security measures that Tennessee insurance carriers must take to protect consumer information. It requires insurance carriers to identify any threats that could result in breaches of consumers’ private information, and develop and implement security programmes based on individual risk assessments, with a designated employee taking responsibility for that programme.

Insurers must also investigate any cybersecurity breach and notify the insurance commissioner of a cybersecurity event if the licensee is a domiciled insurer or if more than 250 Tennesseans are impacted.

The law takes effect from July 1, 2021 and is based on model legislation created by the National Association of Insurance Commissioners (NAIC) with the input of national regulators after a succession of data breaches.

The NAIC has made cybersecurity and consumer data protection its top priorities, with the model legislation emerging following a two year collaborative process.

Tennessee Department of Commerce and Insurance Commissioner Carter Lawrence said the legislation “represents an important step forward in helping Tennessee address cybersecurity threats in the insurance industry.”

Bill Huddleston, assistant commissioner for insurance, said: “Tennessee’s adoption of the bill is critical for the commissioner and the department to have the tools they need to better protect Tennesseans’ sensitive consumer information.”