According to Senate Bill 160 sponsor, Sen. Patrick Testin, “the bill was originally offered in the 2019-2020 legislative session. It had already passed the assembly and was slated to be taken up by the Senate.”
However, “The COVID shutdown shortened the legislative session, and we were unable to pass it in the Senate when the state was shut down. As a result, Rep. [Kevin] Petersen and myself thought it was important to re-run it this session and it get passed into law,” Testin said in an email.
Now that the law has been passed, insurers will have to conduct a risk assessment, develop an information security program to mitigate identified threats and work with third-party providers to protect customers’ information.
They will also have to create an incident response plan to better react to and recover information affected by a cybersecurity attack.
If a cyber attack occurs, the bill states insurance companies must notify consumers and their independent insurance providers within 45 days of learning there was a breach and notify consumer reporting agencies if the attack affects 1,000 or more consumers.
Companies must also notify the Office of the Commissioner of Insurance (OCI) within three days of the breach.
“Information security legislation can cause businesses and governments a great deal of anxiety, so it’s important to get it right, providing robust security requirements that fit the industry and are easily implemented,” Testin said. “Our process, bringing stakeholders to the table and using model legislation as a starting point, was really effective and demonstrates that it is possible to develop collaborative, effective information security legislation.”
"This bill came to our attention last session when work began on it. We worked alongside the authors of the bill and supported it," said Natalie White, the communications director for the Professional Insurance Agents of Wisconsin Inc.
“Our perspective is cybersecurity is an extremely important issue for all people. Cyber attacks are happening much more often compared to several years ago, making it apparent that standards need to be implemented at the state level,” White said.
To address this, the bill's standards were based on model legislation drafted by the National Association of Insurance Commissioners but customized to fit Wisconsin’s insurance industry, she said.
“The key to this bill is staying aware of all possible threats and making sure the industry, the OCI and those affected by cyber attacks are notified,” White said. “Communication is essential.”