Live Free or Die Legal
This website is not an official source of law. This website does not provide legal advice. For official legal materials, verify against the relevant court, legislature, agency, or other official source. Legal information may be incomplete, outdated, or incorrectly processed. Consult a qualified attorney for advice about a specific legal matter.

This RSA section is an unofficial mirror, is not legal advice, and may be incomplete, outdated, or incorrectly processed.

RSA 420-P:6 · Notification of a Cybersecurity Event

Title
XXXVII: INSURANCE
Chapter
420-P · INSURANCE DATA SECURITY LAW
Status
current
Official source linked
Yes
Official source Copy section link

420-P:6 Notification of a Cybersecurity Event. –

Copy link
I.

Each licensee shall notify the commissioner within 3 business days of a determination that a cybersecurity event has occurred when either of the following criteria has been met:

Copy link
(a)

New Hampshire is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of a producer, as those terms are defined in RSA 402-J, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this state or reasonable likelihood of materially harming any material part of the normal operations of the licensee; or

Copy link
(b)

The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing in New Hampshire and that the cybersecurity event:

Copy link
(1)

Impacts the licensee, in which case notice shall be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or

Copy link
(2)

Has a reasonable likelihood of materially harming:

Copy link
(A)

Any consumer residing in this state; or

Copy link
(B)

Any material part of the normal operations of the licensee.

Copy link
II.

The licensee shall provide as much of the following information as possible. The licensee shall provide the information in electronic form as directed by the commissioner. The licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the commissioner regarding material changes to previously provided information relating to the cybersecurity event.

Copy link
(a)

Date of the cybersecurity event.

Copy link
(b)

Description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any.

Copy link
(c)

How the cybersecurity event was discovered.

Copy link
(d)

Whether any lost, stolen, or breached information has been recovered and, if so, how this was done.

Copy link
(e)

The identity of the source of the cybersecurity event.

Copy link
(f)

Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when such notification was provided.

Copy link
(g)

Description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.

Copy link
(h)

The period during which the information system was compromised by the cybersecurity event.

Copy link
(i)

The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section.

Copy link
(j)

The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.

Copy link
(k)

Description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.

Copy link
(l)

A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event.

Copy link
(m)

Name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

Copy link
III.

A licensee shall notify consumers by complying with RSA 359-C:20, I(a) and (c), II-IV, and VI, and providing a copy of the notice sent to consumers under that statute to the commissioner, when a licensee is required to notify the commissioner under paragraph I.

Copy link
IV.

(a) In the case of a cybersecurity event in a system maintained by a third-party service provider, of which the licensee has become aware, the licensee shall treat such event as it would under paragraph I, unless the third-party service provider provides the notice required under paragraph I to the commissioner.

Copy link
(b)

The computation of licensee's deadlines shall begin on the day after the third-party service provider notifies the licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.

Copy link
(c)

Nothing in this chapter shall prevent or abrogate an agreement between a licensee and another licensee, a third-party service provider or any other party to fulfill any of the investigation requirements imposed under RSA 420-P:5 or notice requirements imposed under RSA 420-P:6.

Copy link
V.

(a)(1) As to notice of cybersecurity events of reinsurers to insurers, in the case of a cybersecurity event involving nonpublic information that is used by the licensee that is acting as an assuming insurer or in the possession, custody, or control of a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affected consumers, the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicile within 3 business days of making the determination that a cybersecurity event has occurred.

Copy link
(2)

The ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under RSA 359-C:20, I(a) and (c), II-IV, and VI, and any other notification requirements relating to a cybersecurity event imposed under this section. (b)(1) In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee that is an assuming insurer, the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicile within 3 business days of receiving notice from its third-party service provider that a cybersecurity event has occurred.

Copy link
(2)

The ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under RSA 359-C:20, I(a) and (c), II-IV, and VI, and any other notification requirements relating to a cybersecurity event imposed under this section.

Copy link
(c)

Any licensee acting as assuming insurer shall have no other notice obligations relating to a cybersecurity event or other data breach under this section or any other law of this state.

Copy link
VI.

As to notice of cybersecurity events from insurers to producers of record, in the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a licensee that is an insurer or its third-party service provider and for which a consumer accessed the insurer's services through an independent insurance producer, the insurer shall notify the producers of record of all affected consumers as soon as practicable as directed by the commissioner. The insurer is excused from this obligation for those instances in which it does not have the current producer of record information for any individual consumer. Source. 2019, 309:1, eff. Jan. 1, 2020.

Copy link

Source note

Source. 2019, 309:1, eff. Jan. 1, 2020.

Source history

  • 2019, 309:1, eff. Jan. 1, 2020