Wisconsin Governor Signs Insurance Cybersecurity Act into Law

August 11, 2021 - Wisconsin Governor Tony Evers signed a new cybersecurity regulation into law, creating additional measures for insurance companies to protect the personally identifiable information (PII) and protected health information (PHI) of individuals. 

According to a report in JD Supra, Wisconsin is one of the latest states to “adopt the National Association of Insurance Commissioner's (NAIC) model cybersecurity law.”  

Wisconsin’s governor signed the law, Act 73, on July 15. The law will help protect the PII and PHI that insurance companies collect from individuals.  

“From ransomware to data breaches, insurers and consumers are at an increasing risk of experiencing a serious cybersecurity incident," Wisconsin Insurance Commissioner Mark Afable said in a press release. “The new consumer protections in this Act will help protect personal data and keep Wisconsin insurance companies secure." 

Act 73 incorporates input from all participating state insurance commissioners, industry stakeholders, and consumer representatives, according to the release.  

“Wisconsin's Office of the Commissioner of Insurance (OCI) worked under the administrations of both Governor Evers and former Governor Walker to develop a version of this model law that would best serve Wisconsinites,” Afable states.  

The new law will mandate that anyone licensed with OCI, with some exceptions, must “develop an information security program that protects its systems and data. Within one year, they must also conduct a risk assessment and address any areas that put their consumer's data or their IT systems at risk. The law also requires insurers to develop an incident response plan and provide notice in a timely manner to consumers affected by a data breach.” 

Those licensees with fewer than 50 employees, “less than $10 million in total year-end assets, or less than $5 million in gross annual revenue,” are exempt from the law, according to the JD Supra report.  

“Other exemptions apply for licensees who are already in compliance with federal guidelines for depository institutions, HIPAA, and the federal Farm Credit Administration,” the report notes.  

With the new law, “licensees must develop and implement a security program that contains administrative, technical, and physical safeguards to protect the licensee's information systems and nonpublic information,” according to the report. 

Connie O'Connell, executive director of the Wisconsin Council of Life Insurers, stated in a press release that with the increasing reliance on technology, the state’s insurance companies are aware of the need to protect individuals' private data.  

“As we become even more dependent on technology, Wisconsin insurers are committed to protecting our customer's personal information," O’Connell said.  “Our agents and companies recognize the serious threat of potential cyberattacks and strongly support adopting these critical protections." 

Several other states have enacted new cybersecurity laws. Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law on July 8, adding protections for Colorado consumer’s data and privacy. California and Virginia also adopted consumer privacy laws.     

The Wisconsin law takes effect on November 1, 2022.