Can Defense Counsel Show They Are Cyber Secure?

By Barry Miller and Curt Graham of Freeman Mathis & Gary, LLP
Originally Appearing in the Kentucky Defense Counsel Winter 2023 Magazine. Shared with permission.

In the ever-changing world of data privacy, there is a new development in Kentucky of which to be aware. During the 2022 legislative session, Kentucky’s General Assembly passed House Bill (“HB”) 474, the Insurance Data Security Law (the “Act”). See Ky. Rev. Stat. §§ 304.3-750 – 304.3-768. The Act gives insurers and other “licensees” some time to comply with its provisions and most insurers will be ready to do so. But Kentucky insurance defense counsel may not be prepared for the Act’s impact.

The Act took effect on January 1, 2023. It gives licensees two years to implement a compliant information security program. A “licensee” is defined as “any person who is, or is required to be, licensed, authorized to operate, or registered pursuant to the insurance laws of [Kentucky].” KRS 304.3-750(6)(a). Beginning on February 15, 2025, licensees must certify to the Kentucky Insurance Commissioner that their plan complies. KRS 304.3-756(9). After that, the statute requires certification yearly, and the Insurance Commissioner will retain enforcement authority to investigate possible violations of the Act. Id.

The Act requires insurers’ security plans to be “[c]ommensurate with the size and complexity of the licensee,” the sensitivity of nonpublic information it holds, and other factors, “including its use of third-party service providers.” KRS 304.3-756(2). That’s where attorneys come in.


Please Click here to read the full article from the Kentucky Defense Counsel.