SPONSOR: Hardwick
This bill establishes the "Insurance Data Security Act".
The bill requires licensees to implement an information security program, as defined in the bill. Each licensee must have a comprehensive information security program that is in keeping with the size and complexity of the licensee and the scope of its activities. This bill specifies data protection objectives for the programs, as well as standards for risk assessment by licensees, and measures to be implemented in the information security programs.
The bill specifies the requirements for licensees' boards of directors or executive management regarding the information security programs, and requires certain oversight of "third-party service providers", as defined in the bill. Licensees must monitor their information security programs, and adjust them as appropriate consistent with relevant changes in technology and the licensees' activities. This bill requires incident response plans as part of information security programs, as specified in the bill. Insurers domiciled in this state must annually submit, by April 15, a written statement that the insurer is in compliance with the information security program requirements of the bill, and must maintain certain documentation for inspection by the Director of the Department of Commerce and Insurance for a period of five years.
The bill also specifies procedures and standards for investigation of cybersecurity events, as well as requirements to notify regulators, consumers, other insurers, and insurance producers as specified in the bill if certain cybersecurity events occur. The Director will have authority to enforce the bill in the manner provided by law for enforcement of the insurance laws of this state.
As specified in the bill, documents and other information furnished to the Department of Commerce and Insurance will be confidential and privileged from disclosure to other parties and persons receiving documents or information under the Director's authority in the bill will not testify in any private civil action. In order to assist in the performance of the Director's duties in the bill, the Director may receive documents and information which would otherwise be confidential and privileged, and may enter into agreements with other authorized parties.
This bill specifies certain exceptions. The bill contains a delayed effective date of January 1, 2026, and grants licensees additional time for the implementation of certain provisions.
This bill is similar to HB 2316 (2024).
Statutes affected: