1 STATE OF OKLAHOMA
1
2 1st Session of the 59th Legislature (2023)
2
3 SENATE BILL 543 By: Montgomery
3
4
4
5
5
6 AS INTRODUCED
6
7 An Act relating to insurance data security; creating
7 the Insurance Data Security Act; providing short
8 title; establishing act jurisdiction; construing
8 provision; defining terms; requiring licensees to
9 develop data security program with certain
9 inclusions; establishing intent of security programs
10 created pursuant to act; directing licensee to
10 conduct risk assessment; directing licensee to take
11 certain action following risk assessment result;
11 requiring certain supervising boards to take certain
12 actions to implement program; requiring licensee to
12 contract with third-party service provider subject to
13 certain conditions; requiring licensee to maintain
13 updates and revisions to program; requiring licensee
14 develop incident response plan; requiring certain
14 reports be submitted to the Insurance Commissioner;
15 requiring insurer to maintain certain records for
15 specific time period; requiring investigation after
16 certain cybersecurity event; establishing
16 investigation process; requiring notification of
17 certain event to the Commissioner; requiring
17 compliance with certain state laws; providing for
18 certain exemption; providing for the Commissioner to
18 investigate certain licensees for certain violations;
19 providing for confidentiality of certain information
19 relating to cybersecurity event; allowing
20 Commissioner to share certain data with national
20 association; construing provision; providing for rule
21 promulgation; providing certain exceptions to act;
21 establishing penalties; amending 51 O.S. 2021,
22 Section 24A.3, as last amended by Section 1, Chapter
22 402, O.S.L. 2022 (51 O.S. Supp. 2022, Section 24A.3),
23 which relates to the Oklahoma Open Records Act;
23 modifying definition; providing for codification; and
24 providing an effective date.
24
Req. No. 391 Page 1
 1
1
2
2
3 BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
3
4 SECTION 1. NEW LAW A new section of law to be codified
4
5 in the Oklahoma Statutes as Section 670 of Title 36, unless there is
5
6 created a duplication in numbering, reads as follows:
6
7 This act shall be known and may be cited as the “Insurance Data
7
8 Security Act”.
8
9 SECTION 2. NEW LAW A new section of law to be codified
9
10 in the Oklahoma Statutes as Section 671 of Title 36, unless there is
10
11 created a duplication in numbering, reads as follows:
11
12 A. Notwithstanding any other provision of law, the provisions
12
13 of this act shall be the exclusive state law for licensees subject
13
14 to the jurisdiction of the Insurance Commissioner for data security,
14
15 the investigation of a cybersecurity event, and notification to the
15
16 Commissioner.
16
17 B. This act shall not be construed to create or imply a private
17
18 cause of action for violations of its provisions.
18
19 SECTION 3. NEW LAW A new section of law to be codified
19
20 in the Oklahoma Statutes as Section 672 of Title 36, unless there is
20
21 created a duplication in numbering, reads as follows:
21
22 As used in this act:
22
23 1. “Authorized individual” means an individual known to and
23
24 screened by the licensee and determined to be necessary and
24
Req. No. 391 Page 2
 1 appropriate to have access to the nonpublic information held by the
1
2 licensee and its information systems;
2
3 2. “Commissioner” means the Insurance Commissioner;
3
4 3. “Consumer” means an individual, including but not limited to
4
5 applicants, policyholders, insureds, beneficiaries, claimants, and
5
6 certificate holders, who is a resident of this state and whose
6
7 nonpublic information is in the possession, custody, or control of a
7
8 licensee;
8
9 4. “Cybersecurity event” means an event resulting in
9
10 unauthorized access to or disruption or misuse of an information
10
11 system or nonpublic information stored on the information system;
11
12 5. “Department” means the Insurance Department;
12
13 6. “Encrypted” means the transformation of data into a form
13
14 which results in a low probability of assigning meaning without the
14
15 use of a protective process or key;
15
16 7. “Information security program” means the administrative,
16
17 technical, and physical safeguards that a licensee uses to access,
17
18 collect, distribute, process, protect, store, use, transmit, dispose
18
19 of, or otherwise handle nonpublic information;
19
20 8. “Information system” means a discrete set of electronic
20
21 information resources organized for the collection, processing,
21
22 maintenance, use, sharing, dissemination or disposition of nonpublic
22
23 information, as well as any specialized system such as industrial or
23
24
24
Req. No. 391 Page 3
 1 process controls systems, telephone switching and private branch
1
2 exchange systems, and environmental control systems;
2
3 9. “Licensee” means any person licensed, authorized to operate
3
4 or registered, or required to be licensed, authorized or registered
4
5 pursuant to Title 36 of the Oklahoma Statutes; provided, however,
5
6 that it shall not include a purchasing group or a risk retention
6
7 group chartered and licensed in a state other than this state or a
7
8 person that is acting as an assuming insurer that is domiciled in
8
9 another state or jurisdiction;
9
10 10. “Multi-factor authentication” means authentication through
10
11 verification of at least two (2) of the following types of
11
12 authentication factors:
12
13 a. knowledge factors, such as a password,
13
14 b. possession factors, such as a token or text message on
14
15 a mobile phone, or
15
16 c. inherence factors, such as a biometric characteristic;
16
17 11. “Non-public information” means electronic information that
17
18 is not publicly available and is:
18
19 a. business related information of a licensee, of which
19
20 the tampering with or unauthorized disclosure, access,
20
21 or use of would cause a material adverse impact to the
21
22 business, operations, or security of the licensee,
22
23 b. any information concerning a consumer that, because of
23
24 name, number, personal mark, or other identifier, can
24
Req. No. 391 Page 4
 1 be used to identify him or her, in combination with
1
2 any one or more of the following data elements:
2
3 (1) social security number,
3
4 (2) driver license number or nondriver identification
4
5 card number,
5
6 (3) financial account number, credit, or debit card
6
7 number,
7
8 (4) any security code, access code, or password that
8
9 would permit access to a consumer’s financial
9
10 account, or
10
11 (5) biometric records, and
11
12 c. any information or data, except age or gender, in any
12
13 form or medium created by or derived from a health
13
14 care provider or a consumer that can be used to
14
15 identify a particular consumer and that relates to:
15
16 (1) the past, present, or future physical, mental, or
16
17 behavioral health or condition of any consumer or
17
18 a member of the family of the consumer,
18
19 (2) the provision of health care to any consumer, or
19
20 (3) payment for the provision of health care to any
20
21 consumer;
21
22 12. “Person” means any individual or any nongovernmental
22
23 entity including but not limited to any nongovernmental
23
24 partnership, corporation, branch, agency, or association;
24
Req. No. 391 Page 5
 1 13. “Publicly available information” means any information that
1
2 a licensee has reasonable basis to believe is lawfully made
2
3 available to the general public from federal, state, or local
3
4 government records, widely distributed media, or disclosures to the
4
5 general public that are required to be made by federal, state, or
5
6 local law. For the purposes of this definition, a licensee has a
6
7 reasonable basis to believe that information is lawfully made
7
8 available to the general public if the licensee has taken steps to
8
9 determine:
9
10 a. that the information is of the type that is available
10
11 to the general public, and
11
12 b. whether a consumer can direct that the information not
12
13 be made available to the general public and, if so,
13
14 that such consumer has not done so; and
14
15 14. “Third-party service provider” means a person, not
15
16 otherwise defined as a licensee, that contracts with a licensee to
16
17 maintain, process, store, or otherwise is permitted access to
17
18 nonpublic information through its provision of services to the
18
19 licensee.
19
20 SECTION 4. NEW LAW A new section of law to be codified
20
21 in the Oklahoma Statutes as Section 673 of Title 36, unless there is
21
22 created a duplication in numbering, reads as follows:
22
23 A. Each licensee in this state shall develop, implement, and
23
24 maintain a comprehensive written information security program based
24
Req. No. 391 Page 6
 1 on the risk assessment of the licensee provided for in this act and
1
2 that contains administrative, technical, and physical safeguards for
2
3 the protection of nonpublic information and the information systems
3
4 of the licensee. The program shall be commensurate with the size and
4
5 complexity of the licensee, the nature and scope of the activities
5
6 of the licensee, including its use of third-party service providers,
6
7 and the sensitivity of the nonpublic information used by the
7
8 licensee or in the possession, custody, or control of the licensee.
8
9 B. An information security program of a licensee shall be
9
10 designed to:
10
11 1. Protect the security and confidentiality of nonpublic
11
12 information and the security of the information systems;
12
13 2. Protect against any threats or hazards to the security or
13
14 integrity of nonpublic information and the information systems;
14
15 3. Protect against unauthorized access to or use of nonpublic
15
16 information, and minimize the likelihood of harm to any consumer;
16
17 and
17
18 4. Define and periodically reevaluate a schedule for retention
18
19 of nonpublic information and a mechanism for its destruction when no
19
20 longer needed.
20
21 C. The licensee shall:
21
22 1. Designate one or more employees, an affiliate, or an outside
22
23 vendor designated to act on behalf of the licensee who is
23
24 responsible for the information security program;
24
Req. No. 391 Page 7
 1 2. Identify reasonably foreseeable internal or external threats
1
2 that could result in unauthorized access, transmission, disclosure,
2
3 misuse, alteration, or destruction of nonpublic information including
3
4 the security of information systems and nonpublic information that
4
5 are accessible to, or held by, third-party service providers;
5
6 3. Assess the likelihood and potential damage of these threats,
6
7 taking into consideration the sensitivity of the nonpublic
7
8 information;
8
9 4. Assess the sufficiency of policies, procedures, information
9
10 systems, and other safeguards in place to manage these threats,
10
11 including consideration of threats in each relevant area of the
11
12 operations of the licensee, including:
12
13 a. employee training and management,
13
14 b. information systems, including network and software
14
15 design, as well as information classification,
15
16 governance, processing, storage, transmission, and
16
17 disposal, and
17
18 c. detecting, preventing, and responding to attacks,
18
19 intrusions, or other systems failures; and
19
20 5. Implement information safeguards to manage the threats
20
21 identified in its ongoing assessment, and no less than annually,
21
22 assess the effectiveness of the key controls, systems, and
22
23 procedures of the safeguards.
23
24
24
Req. No. 391 Page 8
 1 D. Based on the results of the risk assessment, the licensee
1
2 shall:
2
3 1. Design its information security program to mitigate the
3
4 identified risks, commensurate with the size and complexity of the
4
5 licensee, the nature and scope of the activities of the licensee
5
6 including its use of third-party service providers, and the
6
7 sensitivity of the nonpublic information used by the licensee or in
7
8 the possession, custody, or control of the licensee;
8
9 2. Determine and implement security measures deemed
9
10 appropriate, including:
10
11 a. place access controls on information systems
11
12 including controls to authenticate and permit access
12
13 only to authorized individuals to protect against the
13
14 unauthorized acquisition of nonpublic information,
14
15 b. identify and manage the data, personnel, devices,
15
16 systems, and facilities that enable the organization
16
17 to achieve business purposes in accordance with their
17
18 relative importance to business objectives and the
18
19 risk strategy of the organization,
19
20 c. restrict physical access to nonpublic information to
20
21 authorized individuals only,
21
22 d. protect by encryption or other appropriate means, all
22
23 nonpublic information while being transmitted over an
23
24 external network and all nonpublic information stored
24
Req. No. 391 Page 9
 1 on a laptop computer or other portable computing or
1
2 storage device or media,
2
3 e. adopt secure development practices for in-house
3
4 developed applications utilized by the licensee,
4
5 f. modify the information system in accordance with the
5
6 information security program of the licensee,
6
7 g. utilize effective controls, which may include multi-
7
8 factor authentication procedures for any authorized
8
9 individual accessing nonpublic information,
9
10 h. regularly test and monitor systems and procedures to
10
11 detect actual and attempted attacks on, or intrusions
11
12 into, information systems,
12
13 i. include audit trails within the information security
13
14 program designed to detect and respond to
14
15 cybersecurity events and designed to reconstruct
15
16 material financial transactions sufficient to support
16
17 normal operations and obligations of the licensee,
17
18 j. implement measures to protect against destruction,
18
19 loss, or damage of nonpublic information due to
19
20 environmental hazards such as fire and water damage or
20
21