What to Know as DE Cybersecurity Bill Advances
Pending cybersecurity legislation would exempt agents from its most onerous requirements – under the presumption that agents already comply with numerous privacy, security, and data breach mandates. As we reported last week in Agent Headlines, IA&B championed these improvements to the original draft bill.
The Department of Insurance is pushing for this legislation, so it stands to reason that regulators will assess agents’ compliance with existing requirements:
1) Written Information Security Program: The federal Gramm-Leach-Bliley Act (GLBA) led to state regulations governing the handling of personal information, including the need for:
a. a privacy notice disclosing to customers the agency’s policy for collecting and sharing information, and
b. a written information security program to formalize what the agency did to protect the information (including your general office security, your computer systems and your office procedures a.k.a.”physical, technical and administrative safeguards”). An interactive online tool is available on our website to fulfill this requirement by simply answering a questionnaire.
2) HIPAA/HITECH Information Security Rule: For those agents writing health insurance, the Health Insurance Portability and Affordability Act (HIPAA) strengthened its information security components over time. It imposes on agents significant requirements regarding data security for Electronic Protected Health Information (EPHI). Many of these requirements are also addressed in the Business Associate agreement or addendum signed by agents with their health carriers.
While the overarching concept is the same as GLBA’s Information Security Program mentioned above (with physical, technical, and administrative safeguards), the requirements are much more detailed. Information on each detailed item is available on our website as well.
3) Data breach notification: You are required to identify and respond to data breaches both under state law and under HIPAA. An explanation of the triggers, steps to take and sample notification letter are all available on our website.