Cybersecurity Law Takes Effect
Delaware’s new Insurance Data Security Act imposes requirements on insurers and insurance licensees, including all agents and brokers, in the area of data security. Gov. John Carney signed House Bill 174 into law on July 31. Put forth by the Department of Insurance (DOI) and passed by the Delaware General Assembly in June, the law is based on the National Association of Insurance Commissioners (NAIC) model law.
The law takes effect in several stages: Effective immediately, all licensees must comply with new standards for the investigation of and notification to the insurance commissioner of cybersecurity events (no later than three business days from the licensee’s determination that a cybersecurity event has occurred).
Agents have one year (by July 31, 2020) to comply with § 8604 of the Act, which requires a licensee to “develop, implement, and maintain a comprehensive, written information security program that is based on the licensee’s risk assessment and contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system.”
Agents have two years (by July 31, 2021) to comply with § 8604(f) of the Act which requires licensees to maintain oversight of their third-party service provider arrangements, specifically:
(1) A licensee shall exercise due diligence in selecting a third-party service provider.
(2) A licensee shall require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information system and nonpublic information that the third-party service provider has access to or holds. The third-party service provider is not considered to have access to or hold encrypted nonpublic information for purposes of this section if the associated protective process or key necessary to assign meaning to the nonpublic information is not within the third-party service provider’s possession.
Agencies with fewer than 15 employees are exempted from the requirements of § 8604.
We spent several months in talks with the DOI and lawmakers about the standards agents and brokers are already held to when protecting policyholder data, and we were successful in making several improvements to the law beyond what exists in the NAIC model. Most notably, we were able to expand the provision that exempts agencies from the written information security program requirements. The NAIC Data Security Model Law exempts agencies with fewer than 10 employees, including independent contractors. Thanks to our advocacy, the Delaware law increases that threshold to fewer than 15 employees, and removes the independent contractor language, thus exempting the majority of Delaware independent agencies from the most onerous requirements of the new law.
One of the reasons we succeeded in expanding the exemption is that agencies of all sizes are already subject to a (less stringent) Written Information Security Program under the Gramm-Leach-Bliley Act and its implementing regulation, and under HIPAA.
For those agencies that are not exempt from §8604, we are updating our resources to provide members with a template.