Delaware’s Insurance Data Security Act (the “Act”) requires all regulated insurance companies licensed in Delaware to follow new data security and notification requirements. This article summarizes Delaware’s adaptation of the NAIC Insurance Data Security Model Law.
Mission: To protect Delaware residents and insurance companies licensed to do business in Delaware from data breaches. The law requires companies to maintain security, promptly investigate a potential event, and notify the proper parties if an event occurs.
- Maintain the security of information systems and non-public information
- Promptly Investigate cybersecurity events
- Notify Individuals of cybersecurity events
- Notify the Commissioner of Insurance of actual or potential cybersecurity events
What is Non-Public Information?
The Act requires licensees to protect non-public information, including certain business-related information, any personal information such as Social Security Numbers, identification numbers, or biometric data, or any consumer healthcare information on treatments, conditions, or payments. Now is the time to review the collection of non-public data, reduce unnecessary data collection, and delete the rest, minimizing risk in the case of a breach.
- Maintain Security
Companies need to maintain a written Information Security Program which is the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle non-public information.
- Protect the security and confidentiality of nonpublic information and the security of the information system.
- Protect against threats or hazards to the security or integrity of nonpublic information and the information system.
- Protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to a consumer.
- Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when retention of the nonpublic information is no longer needed.
- To protect Delaware residents and insurance companies licensed to do business in Delaware from data breaches.
- Promptly Investigate
Steps in Response to a Cybersecurity Event
A licensee must promptly investigate by answering the following questions:
Did a cybersecurity event occur?
What is the nature and scope of the cybersecurity event?
Was any non-public information involved?
What must licensees do to fix the security of their information systems to prevent future unauthorized acquisition, release, or use of non-public info?
- Promptly Notify
Insurance companies must notify the Delaware Insurance Commissioner within 72 hours of an occurrence. The notice must include as much information as possible from the investigation. Notice is required if the event impacts consumers or business functions. Additionally, if:
- The Licensee is an insurance domestic company or a producer whose home state is Delaware
- If the event likely includes 250 or more state residents or notice is required by any federal or state laws
- Notify impacted consumers within 60 days of the determination of a cybersecurity event or data breach Inform consumers that their data has been compromised
- Offer 1 year of free credit monitoring
- “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.”
- Any individual, partnership, corporation, branch, agency, or association licensed, authorized, or registered under DE insurance laws
A Licensee does not include any of the following:
- A purchasing group or risk retention group that is chartered and licensed in another state
- A person that is:
- acting as an assuming insurer; and
- domiciled in a state or jurisdiction other than Delaware
“Third-party service provider”
- “A person who is not a licensee and who contracts with a licensee to maintain, process, store, or otherwise is permitted access to nonpublic information through the person’s provision of services to the licensee” Licensees must also follow the Acts protocols if the cybersecurity event involves a third-party provider
The Delaware Insurance Commissioner can impose financial penalties against licensees who violate the law.
- Licensees subject to HIPAA that prove HIPAA compliance and commitment to protecting info not covered under HIPAA
- A Licensee that is an employee, agent, representative, or designee of another licensee if the parent licensee’s information security program covers the licensee
- A Licensee with fewer than 15 employees
Licensees must regularly review their cybersecurity implementations to ensure they are compliant. Additionally, prepare for any new changes or amendments. Licensees must go beyond data protection by implementing data minimization to reduce risk, liability, and monetary impact. The crucial first step of data security compliance is knowing what data you have, then identifying sensitive data and information assets that require protection under the law.
Ardent maximizes the privacy and security within an enterprise by minimizing data. By minimizing data, Ardent reduces your liability and business risk for privacy. Contact us for privacy law compliance for Delaware’s IDSA, CCPA, GDPR, FISMA, and more.
This Ardent Privacy article should not be considered as legal or technical advice on the Insurance Data Security Act, or any specific facts or circumstances. This article is written to express the opinion of the writer and nothing else.