BlogLine

Connecticut and Delaware Enact New Data Security Laws for the Insurance Industry

8/8/19

By: Ben N. Dunlap
Connecticut and Delaware have enacted new laws imposing data security obligations on the insurance industry, joining New York, South Carolina, Ohio, Michigan, and Mississippi.
Connecticut’s Insurance Data Security Law, signed by the Governor on July 26, 2019, creates new information security, risk management, and reporting requirements for carriers, producers, and other businesses licensed by the Connecticut Insurance Department.  Following the model of New York’s Department of Financial Services 2017 Cybersecurity Regulations, the Connecticut law requires licensees to maintain an information security program corresponding to the size and complexity of the licensee’s operations; perform regular risk assessments; and designate a responsible individual to oversee the information security program.  The law requires oversight by the licensee’s board of directors and annual certification of compliance to the Insurance Department.  The law also imposes a new reporting requirement: licensees will also have to report cybersecurity incidents to the Insurance Department within three business days.  The law becomes effective October 1, 2019, but licensees have until October 1, 2020 to prepare and implement programs compliant with the new requirements.
The Delaware Insurance Data Security Act, signed by the Governor on July 31, 2019, establishes a regulatory framework requiring insurers licensed to do business in Delaware to develop and implement a comprehensive data security program. Following the 2018 Model Act published by the National Association of Insurance Commissioners, the Delaware law requires insurers to report instances of data breaches to the Delaware Insurance Commissioner and consumers, and it authorizes the Department of Insurance to investigate violations of and impose penalties against insurance carriers.
The Delaware law requires licensees to (1) implement information security programs and conduct risk assessments to try to prevent data breaches and compromising of consumers’ nonpublic information and personal data; (2) conduct thorough investigations to determine if a cybersecurity event or data breach may have occurred and whose data may have been compromised; (3) notify the Insurance Commissioner within three business days of determining that a data breach or cybersecurity event has occurred; (4) notify all impacted consumers within 60 days of the determination that their data has or may have been compromised; and (5) offer free credit monitoring services for one year to consumers impacted by breaches.
If you have any questions or would like more information, please contact Ben Dunlap at bdunlap@fmglaw.com.