The administration of Gov. Tim Walz plans to propose legislation next year to tighten computer security at insurance companies in the state, following revelations that Minnesota Blue Cross Blue Shield allowed hundreds of thousands of serious cybersecurity vulnerabilities to collect on its computer systems over a period of years.
State Commerce Commissioner Steve Kelley said in an interview on Friday that his office will work with the Legislature early next year to draft and generate support for a state law adopting national standards for data security at insurance companies, including but not limited to health insurers.
The announcement comes less than a week after the Star Tribune reported that Minnesota Blue Cross, the state's largest health insurer, is working to eliminate as many of the 200,000 critical or severe cybersecurity vulnerabilities on its network servers as it can before the end of the year, following sharp prodding by a whistleblower. Minnesota Blue Cross said its customers' data are secure, and the not-for-profit insurer complies with existing legal requirements for data privacy and security.
The new Minnesota insurance cybersecurity law would give the state Commerce Department the power to investigate cybersecurity precautions and breaches at insurance companies, and it also would create a requirement that insurers notify the office when they experience a breach.
"We see the stories every day that companies are under attack from a variety of sources, whether they are individual hackers or government-sponsored intrusions. Consumers, and information held by insurance companies and related licensees, are always under attack," Kelley said. "So it is appropriate to take common-sense steps to increase the protections against cybersecurity as well as other kinds of threats to protect the information of consumers."
With Walz's support, Kelley said he will bring forward legislation in February to have Minnesota join the small but growing number of states adopting a model cybersecurity law for insurance companies.
"Minnesotans deserve peace of mind when it comes to privacy in the digital age," Walz said in an e-mailed statement. "Right now, insurance companies are trusted with our most private information. Establishing standards for data security will protect millions of consumers across the state, while strengthening our business community and economy. I look forward to working with industry partners and legislators on this important issue."
The model law was drafted in 2017 by the National Association of Insurance Commissioners (NAIC) after nearly two years of debate. Eight states including Michigan and Ohio have adopted the law.
The U.S. Treasury Department has said it may be necessary for Congress to establish national uniform data security regulations if states don't do it themselves in the next few years.
The national insurance group said the push for a model law was prompted in 2016 by a string of cybersecurity breaches of sensitive personal information about millions of insurance customers. The nation's largest breach of health care data, affecting 78.8 million Americans (including 11,000 in Minnesota), was reported in 2015 at the Blue Cross licensee Anthem Inc. The second- and third-largest confirmed breaches were also reported that year, at Blue plans outside Minnesota.
"State adoption of the model [law] is critical for state insurance regulators to have the tools they need to better protect sensitive consumer information," the NAIC said this month in a fact sheet about the law.
Unlike other types of insurance companies, health insurers must already comply with the federal data-privacy law commonly known as HIPAA, which requires covered entities like insurers, hospitals and their contractors to regularly scan their networks for security vulnerabilities and to remediate them, either by installing security patches or taking other steps to protect computer systems from unauthorized access.
Kelley noted that the model state law exempts HIPAA-compliant health insurance companies from the requirement to develop and maintain a risk-based cybersecurity program, including having a designated employee in charge of their program.
Other types of insurers not covered by HIPAA would have to follow that aspect of the state law.
But the new law would give Kelley's office the ability to examine insurance companies' risk assessments and emergency-response plans. It would also require all insurers to notify his office, and also state residents, if they detect a breach of sensitive data from their systems.
Identity thieves can use stolen personal information to harass victims or commit financial fraud, and health care data are among the sought-after information on the criminal black market.
But Kelley said data breaches are a "big deal" to consumers even if they don't lead directly to harassment or fraud. For example, such data can be used to illegally discriminate against people because of health status or other sensitive details.
"One of the challenges in this modern age is this ability of data-rich companies to draw connections among disparate pieces of data, even if they don't have the whole thing," Kelley said.