Gov. Carney signs law creating cybersecurity standards for insurance industry

Gov. John Carney has signed into law the Delaware Insurance Data Security Act. This law establishes a comprehensive regulatory framework requiring insurers licensed to do business in Delaware to implement information security programs, report instances of data breaches in a timely manner, and empowers the Department of Insurance to investigate violations and levy penalties.

“When hardworking consumers entrust their personal information to their insurance companies, they have a reasonable expectation that their carriers will do everything they can to safeguard that information,” said Delaware Insurance Commissioner Trinidad Navarro,

“Over the past several years, we have seen time and again consumers’ information be compromised or stolen by hackers’ cyber threats to insurers. By codifying a regulatory standard that requires all insurance licensees in Delaware to implement information security programs and timely report data breaches to the Department and consumers, HB 174 enhances Delaware’s consumer protection measures to hold companies accountable and give consumers the peace of mind that they deserve.”

This is the first law to set security standards for insurance companies. In the past, according to the department, reports of a data breach were often delayed.

Here are some key aspects of the law:

• Requires insurance companies to implement information security programs and conduct risk assessments to try to prevent data breaches and compromising of consumers’ Nonpublic Information and personal data;
• Requires insurers to conduct thorough investigations to determine if a cybersecurity event or data breach may have occurred and whose data may have been compromised;
• Notify the Insurance Commissioner within three (3) business days of determining that a data breach or cybersecurity event has occurred;
• Mandates that insurers notify all impacted consumers within sixty (60) days of the determination that their data has or may have been compromised;
• Requires that insurers offer free credit monitoring services for one year to consumers impacted by breaches; and
• Endows the Commissioner with the power to investigate the affairs of any insurer to determine whether they have been engaged in any conduct in violation of this Act and take action accordingly.

“Data breaches are personal, comprising critical information and forcing an individual to rebuild their entire lives,” said Rep. William Bush, chief sponsor of HB 174. “Instituting a framework with safeguards to protect Delawareans from insurance data breaches is the right thing to do. This comprehensive legislation enhances consumers’ data privacy and protection, with the ultimate goal of giving them peace of mind and security.”