Delaware Insurance Data Security Act
Agencies that hold a Delaware resident or non-resident license need to comply with the Delaware’s Insurance Data Security Act, which was effective 7/31/2019. The legislation was put forth by the Delaware Department of Insurance (DOI).
The Delaware Insurance Data Security Act (HB 174) imposes requirements on insurers and insurance licensees, including all agents and brokers, in the area of data security; it is based on the National Association of Insurance Commissioners (NAIC) model law, and specifically:
- Requires the implementation of a comprehensive written information security program, and
- Establishes standards for the investigation of and notification to the insurance commissioner of cybersecurity events affecting licensees.
- Agencies with fewer than 15 employees are not required to develop, implement and maintain a specific Information Security Program as described in §8604 of the Delaware Data Security Law (mentioned in item 1. above). However, those agencies should have one in place to comply with other federal and state requirements including the Gramm-Leach-Bliley Act and its corresponding state regulation.
- Agencies subject to HIPAA and that have developed an Information Security Program compliant with HIPAA are not required to develop, implement and maintain a separate Information Security Program as described here in §8604 of the Delaware Data Security Law.
- Other sections of the law, including investigation and notification of a cybersecurity event apply to ALL AGENCIES, regardless of staff size, under §8605 and §8606. Universally Applicable Bulletin 5 updates how notification to the DOI of a cybersecurity event must be made (Oct. 8, 2020 update).
- The Information Security Program must be completed by 07/31/2020. However, compliance with the section on oversight of third-party service provider arrangements (§8604(f)) must be completed by 07/31/2021.
A template Information Security Program is available for IA&B members to review, personalize and use.
This document is not a legal opinion and should not be relied upon as such. The intent of this document is to provide a general background regarding the topic or topics discussed, not to provide legal advice. Producers and agencies should consult an attorney regarding specific situations and specific questions with respect to the topic or topics covered in this document. Neither the Insurance Agents & Brokers nor any of its employees shall be responsible for any errors or omissions regarding any statements made in this document, nor any errors or omissions regarding any statutes, regulations, court rules, and/or any other government documents cited in this document.