<?xml version="1.0" encoding="UTF-8"?><slim:Document xmlns:slim="urn:legix:slim" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:atipl="http://www.arbortext.com/namespace/PageLayout" class="codeChapter" id="chp507F" name="507F"><slim:About class="header"><slim:Property type="string" name="checkinTime">07/20/2021 11:32</slim:Property><slim:Property type="string" name="taskInfo">25:745F752A-B00F-4F2A-A4DF-BC3CA6B7324D</slim:Property><slim:Property type="string" name="version">4</slim:Property></slim:About><slim:TOC><slim:Item idref="sec507F.1" title="507F.1   Title."/><slim:Item idref="sec507F.2" title="507F.2   Purpose and scope."/><slim:Item idref="sec507F.3" title="507F.3   Definitions."/><slim:Item idref="sec507F.4" title="507F.4   Information security program."/><slim:Item idref="sec507F.5" title="507F.5   Third-party service provider arrangements."/><slim:Item idref="sec507F.6" title="507F.6   Cybersecurity event  investigation."/><slim:Item idref="sec507F.7" title="507F.7   Cybersecurity event  notification and report to the commissioner."/><slim:Item idref="sec507F.8" title="507F.8   Cybersecurity event  notification to consumers."/><slim:Item idref="sec507F.9" title="507F.9   Cybersecurity event  third-party service providers."/><slim:Item idref="sec507F.10" title="507F.10   Cybersecurity event reinsurers."/><slim:Item idref="sec507F.11" title="507F.11   Cybersecurity event  producers of record."/><slim:Item idref="sec507F.12" title="507F.12   Confidentiality."/><slim:Item idref="sec507F.13" title="507F.13   Applicability."/><slim:Item idref="sec507F.14" title="507F.14   Penalties."/><slim:Item idref="sec507F.15" title="507F.15   Rules and enforcement."/><slim:Item idref="sec507F.16" title="507F.16   Severability."/></slim:TOC><slim:Body><slim:Level class="codeChapter" id="chp507F"><slim:Heading class="heading"><xhtml:span class="identifier">507F</xhtml:span><xhtml:span class="headnote">INSURANCE DATA SECURITY</xhtml:span></slim:Heading><slim:Section class="codeSection" id="sec507F.1"><xhtml:div class="heading"><xhtml:span class="identifier">507F.1</xhtml:span><xhtml:span class="headnote">Title.</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="iowaCodeRef">This chapter</xhtml:span> may be cited as the <xhtml:span class="term">“Insurance Data Security Act”</xhtml:span>.</xhtml:p><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §1, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.2"><xhtml:div class="heading"><xhtml:span class="identifier">507F.2</xhtml:span><xhtml:span class="headnote">Purpose and scope.</xhtml:span></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">Notwithstanding any provision of law to the contrary, <xhtml:span class="iowaCodeRef">this chapter</xhtml:span> establishes the exclusive state standards for data security, and the investigation and notification of cybersecurity events, applicable to licensees.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="iowaCodeRef">This chapter</xhtml:span> shall not be construed to create or imply a private cause of action for a violation of its provisions, and shall not be construed to curtail a private cause of action that otherwise exists in the absence of <xhtml:span class="iowaCodeRef">this chapter</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §2, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.3"><xhtml:div class="heading"><xhtml:span class="identifier">507F.3</xhtml:span><xhtml:span class="headnote">Definitions.</xhtml:span></xhtml:div><xhtml:p class="para">As used in <xhtml:span class="iowaCodeRef">this chapter</xhtml:span>, unless the context otherwise requires:</xhtml:p><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Authorized individual”</xhtml:span> means an individual known to and screened by a licensee and determined to be necessary and appropriate to have access to nonpublic information held by the licensee and the licensee’s information system.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Commissioner”</xhtml:span> means the commissioner of insurance.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Consumer”</xhtml:span> means an individual, including but not limited to an applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of this state and whose nonpublic information is in a licensee’s possession, custody, or control.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">4</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Cybersecurity event”</xhtml:span> means an event resulting in unauthorized access to, or the disruption or misuse of, an information system or of nonpublic information stored on an information system. <xhtml:span class="term">“Cybersecurity event”</xhtml:span> does not include any of the following:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">The unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">An event for which a licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released, and the nonpublic information has been returned or destroyed.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">5</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Delivered by electronic means”</xhtml:span> means delivery to an electronic mail address at which a consumer has consented to receive notices or documents.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">6</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Encrypted”</xhtml:span> means the transformation of data into a form that results in a low probability of assigning meaning to the data without the use of a protective process or key.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">7</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“<xhtml:span class="USActsRef">Gramm-Leach-Bliley Act</xhtml:span>”</xhtml:span> means the <xhtml:span class="USActsRef">Gramm-Leach-Bliley Act of 1999</xhtml:span>, <xhtml:span class="USCRef">15 U.S.C. §6801 et seq.</xhtml:span>, including amendments thereto and regulations promulgated thereunder.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">8</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“<xhtml:span class="USActsRef">Health Insurance Portability and Accountability Act</xhtml:span>”</xhtml:span> or <xhtml:span class="term">“HIPAA”</xhtml:span> means the <xhtml:span class="USActsRef">Health Insurance Portability and Accountability Act of 1996</xhtml:span>, <xhtml:span class="USCRef">Pub. L. No. 104-191</xhtml:span>, including amendments thereto and regulations promulgated thereunder.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">9</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Home state”</xhtml:span> means the same as defined in <xhtml:span class="iowaCodeRef">section 522B.1</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">10</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Information security program”</xhtml:span> means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">11</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Information system”</xhtml:span> means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic nonpublic information, and any specialized system such as an industrial or process controls system, a telephone switching and private branch exchange system, or an environmental control system.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">12</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Insurer”</xhtml:span> means the same as defined in <xhtml:span class="iowaCodeRef">section 521A.1</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">13</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Licensee”</xhtml:span> means a person licensed, authorized to operate, or registered, or a person required to be licensed, authorized to operate, or registered pursuant to the insurance laws of this state. <xhtml:span class="term">“Licensee”</xhtml:span> does not include a purchasing group or a risk retention group chartered and licensed in a state other than this state, or a person acting as an assuming insurer that is domiciled in another state or jurisdiction.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">14</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Multi-factor authentication”</xhtml:span> means authentication through verification of at least two of the following types of authentication factors:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">A knowledge factor, such as a password.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">A possession factor, such as a token or text message on a mobile phone.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">An inherence factor, such as a biometric characteristic.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">15</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Nonpublic information”</xhtml:span> means electronic information that is not publicly available information and that is any of the following:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">Business-related information of a licensee the tampering of which, or unauthorized disclosure, access, or use of which, will cause a material adverse impact to the business, operations, or security of the licensee.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">Information concerning a consumer which can be used to identify the consumer due to a name, number, personal mark, or other identifier, used in combination with any one or more of the following data elements:</xhtml:p><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">A social security number.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">A driver’s license number or a nondriver identification card number.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para">A financial account number, a credit card number, or a debit card number.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">4</xhtml:span></xhtml:div><xhtml:p class="para">A security code, an access code, or a password that will permit access to a consumer’s financial accounts.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">5</xhtml:span></xhtml:div><xhtml:p class="para">A biometric record.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">Information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer, and that relates to any of the following:</xhtml:p><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">The past, present, or future physical, mental or behavioral health or condition of a consumer, or a member of the consumer’s family.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">The provision of health care services to a consumer.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para">Payment for the provision of health care services to a consumer.</xhtml:p></xhtml:div></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">16</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Person”</xhtml:span> means an individual or a nongovernmental entity, including but not limited to a nongovernmental partnership, corporation, branch, agency, or association.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">17</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Publicly available information”</xhtml:span> means information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records, by widely distributed media, or by disclosure to the general public as required by federal, state, or local law. For purposes of this definition, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has determined all of the following:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">That the information is of a type that is available to the general public.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">That if a consumer may direct that the information not be made available to the general public, that the consumer has not directed that the information not be made available to the general public.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">18</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Risk assessment”</xhtml:span> means the assessment that a licensee is required to conduct pursuant to <xhtml:span class="iowaCodeRef">section 507F.4, subsection 3</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">19</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Third-party service provider”</xhtml:span> means a person that is not a licensee that contracts with a licensee to maintain, process, store, or is otherwise permitted access to nonpublic information through the person’s provision of services to the licensee.</xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §3, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.4"><xhtml:div class="heading"><xhtml:span class="identifier">507F.4</xhtml:span><xhtml:span class="headnote">Information security program.</xhtml:span></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">Commensurate with the size and complexity of a licensee, the nature and scope of a licensee’s activities including the licensee’s use of third-party service providers, and the sensitivity of nonpublic information used by the licensee or that is in the licensee’s possession, custody, or control, the licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment conducted pursuant to <xhtml:span class="iowaCodeRef">subsection 3</xhtml:span>. </xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="iowaCodeRef">This section</xhtml:span> shall not apply to any of the following: </xhtml:p><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">A licensee that meets any of the following criteria:</xhtml:p><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">Has fewer than twenty individuals on its workforce, including employees and independent contractors.</xhtml:p></xhtml:div><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">Has less than five million dollars in gross annual revenue.</xhtml:p></xhtml:div><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">Has less than ten million dollars in year-end total assets.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">An employee, agent, representative, or designee of a licensee, and the employee, agent, representative, or designee is also a licensee, if the employee, agent, representative, or designee is covered by the information security program of the other licensee.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">A licensee shall have one hundred eighty calendar days from the date the licensee no longer qualifies for exemption under paragraph <xhtml:span class="i">“b”</xhtml:span> to comply with <xhtml:span class="iowaCodeRef">this section</xhtml:span>.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">A licensee’s information security program must be designed to do all of the following:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">Protect the security and confidentiality of nonpublic information and the security of the licensee’s information system.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">Protect against threats or hazards to the security or integrity of nonpublic information and the licensee’s information system.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">Protect against unauthorized access to or the use of nonpublic information, and minimize the likelihood of harm to any consumer.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">d</xhtml:span></xhtml:div><xhtml:p class="para">Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for the destruction of nonpublic information if retention is no longer necessary for the licensee’s business operations, or is no longer required by applicable law.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para">A licensee shall conduct a risk assessment that accomplishes all of the following:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">Designates one or more employees, an affiliate, or an outside vendor to act on behalf of the licensee and that has responsibility for the information security program.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">Identifies reasonably foreseeable internal or external threats that may result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including nonpublic information that is accessible to, or held by, a third-party service provider.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">Assesses the probability of, and the potential damage caused by, the threats identified in paragraph <xhtml:span class="i">“b”</xhtml:span>, taking into consideration the sensitivity of nonpublic information.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">d</xhtml:span></xhtml:div><xhtml:p class="para">Assesses the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the threats identified in paragraph <xhtml:span class="i">“b”</xhtml:span>. This assessment must include consideration of threats identified in each relevant area of the licensee’s operations, including all of the following:</xhtml:p><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">Employee training and management.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">Information systems, including network and software design; and information classification, governance, processing, storage, transmission, and disposal.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para">Detection, prevention, and response to an attack, intrusion, or other system failure.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">e</xhtml:span></xhtml:div><xhtml:p class="para">Implements information safeguards to manage threats identified in the licensee’s ongoing risk assessments and, at least annually, assesses the effectiveness of the information safeguards’ key controls, systems, and procedures.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">4</xhtml:span></xhtml:div><xhtml:p class="para">Based on the risk assessment conducted pursuant to <xhtml:span class="iowaCodeRef">subsection 3</xhtml:span>, a licensee shall do all of the following:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">Develop, implement, and maintain an information security program as described in <xhtml:span class="iowaCodeRef">subsections 1 and 2</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">Determine which of the following security measures are appropriate and implement each appropriate security measure:</xhtml:p><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">Place access controls on information systems, including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of nonpublic information.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve its business purposes in accordance with the data, personnel, devices, systems, and facilities relative importance to the licensee’s business objectives and risk strategy.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para">Restrict access of nonpublic information stored in or at physical locations to authorized individuals only.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">4</xhtml:span></xhtml:div><xhtml:p class="para">Protect by encryption or other appropriate means, all nonpublic information while the nonpublic information is transmitted over an external network, and all nonpublic information that is stored on a laptop computer, a portable computing or storage device, or portable computing or storage media.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">5</xhtml:span></xhtml:div><xhtml:p class="para">Adopt secure development practices for in-house developed applications utilized by the licensee, and procedures for evaluating, assessing, and testing the security of externally developed applications utilized by the licensee.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">6</xhtml:span></xhtml:div><xhtml:p class="para">Modify information systems in accordance with the licensee’s information security program.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">7</xhtml:span></xhtml:div><xhtml:p class="para">Utilize effective controls, which may include multi-factor authentication procedures for authorized individuals accessing nonpublic information.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">8</xhtml:span></xhtml:div><xhtml:p class="para">Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">9</xhtml:span></xhtml:div><xhtml:p class="para">Include audit trails within the information security program designed to detect and respond to cybersecurity events, and designed to reconstruct material financial transactions sufficient to support the normal business operations and obligations of the licensee.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">10</xhtml:span></xhtml:div><xhtml:p class="para">Implement measures to protect against the destruction, loss, or damage of nonpublic information due to environmental hazards, natural disasters, catastrophes, or technological failures.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">11</xhtml:span></xhtml:div><xhtml:p class="para">Develop, implement, and maintain procedures for the secure disposal of nonpublic information that is contained in any format.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">Include cybersecurity risks in the licensee’s enterprise-wide risk management process.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">d</xhtml:span></xhtml:div><xhtml:p class="para">Maintain knowledge and understanding of emerging threats or vulnerabilities and utilize reasonable security measures, relative to the character of the sharing and the type of information being shared, when sharing information.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">e</xhtml:span></xhtml:div><xhtml:p class="para">Provide the licensee’s personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee’s risk assessment. </xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">5</xhtml:span></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">If a licensee has a board of directors, the board or an appropriate committee of the board shall at a minimum require the licensee’s executive management or the executive management’s delegates to:</xhtml:p><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">Develop, implement, and maintain the licensee’s information security program.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">Provide a written report to the board, at least annually, that documents all of the following:</xhtml:p><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">The overall status of the licensee’s information security program and the licensee’s compliance with <xhtml:span class="iowaCodeRef">this chapter</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">Material matters related to the licensee’s information security program including issues such as risk assessment; risk management and control decisions; third-party service provider arrangements; results of testing, cybersecurity events, or violations; management’s response to cybersecurity events or violations; and recommendations for changes in the licensee’s information security program.</xhtml:p></xhtml:div></xhtml:div></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">If a licensee’s executive management delegates any of its responsibilities under <xhtml:span class="iowaCodeRef">this section</xhtml:span> the executive management shall oversee the delegate’s development, implementation, and maintenance of the licensee’s information security program, and shall require the delegate to submit an annual written report to executive management that contains the information required under paragraph <xhtml:span class="i">“a”</xhtml:span>, subparagraph (2). If the licensee has a board of directors, the executive management shall provide a copy of the report to the board.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">6</xhtml:span></xhtml:div><xhtml:p class="para">A licensee shall monitor, evaluate, and adjust the licensee’s information security program consistent with relevant changes in technology, the sensitivity of the licensee’s nonpublic information, changes to the licensee’s information systems, internal or external threats to the licensee’s nonpublic information, and the licensee’s changing business arrangements, including but not limited to mergers and acquisitions, alliances and joint ventures, and outsourcing arrangements.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">7</xhtml:span></xhtml:div><xhtml:p class="para">As part of a licensee’s information security program, a licensee shall establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in the licensee’s possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s operations. The written incident response plan must address all of the following:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">The licensee’s internal process for responding to a cybersecurity event.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">The goals of the licensee’s incident response plan.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">The assignment of clear roles, responsibilities, and levels of decision-making authority for the licensee’s personnel that participate in the incident response plan.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">d</xhtml:span></xhtml:div><xhtml:p class="para">External communications, internal communications, and information sharing related to a cybersecurity event.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">e</xhtml:span></xhtml:div><xhtml:p class="para">The identification of remediation requirements for weaknesses identified in information systems and associated controls.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">f</xhtml:span></xhtml:div><xhtml:p class="para">Documentation and reporting regarding cybersecurity events and related incident response activities.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">g</xhtml:span></xhtml:div><xhtml:p class="para">The evaluation and revision of the incident response plan, as appropriate, following a cybersecurity event.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">8</xhtml:span></xhtml:div><xhtml:p class="para">An insurer domiciled in this state shall annually submit to the commissioner on or before April 15 a written certification that the insurer is in compliance with <xhtml:span class="iowaCodeRef">this section</xhtml:span>. Each insurer shall maintain all records, schedules, documentation, and data supporting the insurer’s certification for five years. To the extent an insurer has identified an area, system, or process that requires material improvement, updating, or redesign, the insurer shall document the process used to identify the area, system, or process, and the remediation that has been implemented, or will be implemented, to address the area, system, or process. All records, schedules, documentation, and data described in <xhtml:span class="iowaCodeRef">this subsection</xhtml:span> shall be made available for inspection by the commissioner, or the commissioner’s representative, upon request of the commissioner.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">9</xhtml:span></xhtml:div><xhtml:p class="para">Licensees shall comply with <xhtml:span class="iowaCodeRef">this section</xhtml:span> no later than January 1, 2023.</xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §4, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.5"><xhtml:div class="heading"><xhtml:span class="identifier">507F.5</xhtml:span><xhtml:span class="headnote">Third-party service provider arrangements.</xhtml:span></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">A licensee shall exercise due diligence in the selection of third-party service providers, conduct oversight of all third-party service provider arrangements, and require all third-party service providers to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the licensee’s third-party service providers.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">Licensees shall comply with <xhtml:span class="iowaCodeRef">this section</xhtml:span> no later than January 1, 2024.</xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §5, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.6"><xhtml:div class="heading"><xhtml:span class="identifier">507F.6</xhtml:span><xhtml:span class="headnote">Cybersecurity event <xhtml:span class="em-dash"/> investigation.</xhtml:span></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">If a licensee discovers that a cybersecurity event has occurred, or that a cybersecurity event may have occurred, the licensee, or the outside vendor or third-party service provider the licensee has designated to act on behalf of the licensee, shall conduct a prompt investigation of the event.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">During the investigation, the licensee, outside vendor, or third-party service provider the licensee has designated to act on behalf of the licensee, shall, at a minimum, determine as much of the following as possible:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">Confirm that a cybersecurity event has occurred.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">Assess the nature and scope of the cybersecurity event.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">Identify all nonpublic information that may have been compromised by the cybersecurity event.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">d</xhtml:span></xhtml:div><xhtml:p class="para">Perform or oversee reasonable measures to restore the security of any compromised information systems in order to prevent further unauthorized acquisition, release, or use of nonpublic information that is in the licensee’s possession, custody, or control.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para">If a licensee learns that a cybersecurity event has occurred, or may have occurred, in an information system maintained by a third-party service provider of the licensee, the licensee shall complete an investigation in compliance with <xhtml:span class="iowaCodeRef">this section</xhtml:span>, or confirm and document that the third-party service provider has completed an investigation in compliance with <xhtml:span class="iowaCodeRef">this section</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">4</xhtml:span></xhtml:div><xhtml:p class="para">A licensee shall maintain all records and documentation related to the licensee’s investigation of a cybersecurity event for a minimum of five years from the date of the event, and shall produce the records and documentation upon demand of the commissioner.</xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §6, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.7"><xhtml:div class="heading"><xhtml:span class="identifier">507F.7</xhtml:span><xhtml:span class="headnote">Cybersecurity event <xhtml:span class="em-dash"/> notification and report to the commissioner.</xhtml:span></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">A licensee shall notify the commissioner no later than three business days from the date of the licensee’s confirmation of a cybersecurity event if any of the following conditions apply:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">The licensee is an insurer who is domiciled in this state, or is a producer whose home state is this state, and any of the following apply:</xhtml:p><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">The laws of this state or federal law requires that notice of the cybersecurity event be given by the licensee to a government body, self-regulatory agency, or other supervisory body.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">The cybersecurity event has a reasonable likelihood of causing material harm to a material part of the normal business, operations, or security of the licensee.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">The licensee reasonably believes that nonpublic information compromised by the cybersecurity event involves two hundred fifty or more consumers and either of the following apply:</xhtml:p><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">State or federal law requires that notice of the cybersecurity event be given by the licensee to a government body, self-regulatory agency, or other supervisory body.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">The cybersecurity event has a reasonable likelihood of causing material harm to a consumer, or to a material part of the normal business, operations, or security of the licensee.</xhtml:p></xhtml:div></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">A licensee’s notification to the commissioner pursuant to <xhtml:span class="iowaCodeRef">subsection 1</xhtml:span> shall provide, in the form and manner prescribed by the commissioner by rule, as much of the following information as is available to the licensee at the time of the notification:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">The date and time of the cybersecurity event.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">A description of how nonpublic information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of the licensee’s third-party service providers, if any.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">How the licensee discovered or became aware of the cybersecurity event.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">d</xhtml:span></xhtml:div><xhtml:p class="para">If any lost, stolen, or breached nonpublic information has been recovered and if so, how the recovery occurred.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">e</xhtml:span></xhtml:div><xhtml:p class="para">The identity of the source of the cybersecurity event.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">f</xhtml:span></xhtml:div><xhtml:p class="para">The identity of any regulatory, governmental, or law enforcement agencies the licensee has notified, and the date and time of each notification.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">g</xhtml:span></xhtml:div><xhtml:p class="para">A description of the specific types of nonpublic information that were lost, stolen, or breached. </xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">h</xhtml:span></xhtml:div><xhtml:p class="para">The total number of consumers affected by the cybersecurity event. The licensee shall provide the best estimate of affected consumers in the licensee’s initial report to the commissioner and shall update the estimate in each subsequent report to the commissioner under <xhtml:span class="iowaCodeRef">subsection 3</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">i</xhtml:span></xhtml:div><xhtml:p class="para">The results of any internal review conducted by the licensee that identified a lapse in the licensee’s automated controls or internal procedures, or that confirmed the licensee’s compliance with all automated controls or internal procedures.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">j</xhtml:span></xhtml:div><xhtml:p class="para">A description of the licensee’s efforts to remediate the circumstances that allowed the cybersecurity event.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">k</xhtml:span></xhtml:div><xhtml:p class="para">A copy of the licensee’s privacy policy.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">l</xhtml:span></xhtml:div><xhtml:p class="para">A statement outlining the steps the licensee is taking to identify and notify consumers affected by the cybersecurity event.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">m</xhtml:span></xhtml:div><xhtml:p class="para">The contact information for the individual authorized to act on behalf of the licensee and who is also knowledgeable regarding the cybersecurity event.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para">A licensee shall have a continuing obligation to update and supplement the licensee’s initial notification to the commissioner as material changes to information previously provided to the commissioner occur. </xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §7, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.8"><xhtml:div class="heading"><xhtml:span class="identifier">507F.8</xhtml:span><xhtml:span class="headnote">Cybersecurity event <xhtml:span class="em-dash"/> notification to consumers.</xhtml:span></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">In the event of a cybersecurity event involving nonpublic information a licensee shall comply with the notification requirements pursuant to <xhtml:span class="iowaCodeRef">section 715C.2</xhtml:span>, and all other applicable notification requirements pursuant to federal or state law.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">If a licensee is required to provide notice of a cybersecurity event to the commissioner pursuant to <xhtml:span class="iowaCodeRef">section 507F.7, subsection 1</xhtml:span>, the licensee shall submit to the commissioner a copy of the consumer notices provided by the licensee to consumers under <xhtml:span class="iowaCodeRef">this section</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §8, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.9"><xhtml:div class="heading"><xhtml:span class="identifier">507F.9</xhtml:span><xhtml:span class="headnote">Cybersecurity event <xhtml:span class="em-dash"/> third-party service providers.</xhtml:span></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">If a licensee becomes aware of a cybersecurity event in an information system maintained by a third-party service provider of the licensee, the licensee shall comply with <xhtml:span class="iowaCodeRef">section 507F.7</xhtml:span>, or the licensee may obtain a written certification from the third-party service provider that the provider is in compliance with <xhtml:span class="iowaCodeRef">section 507F.7</xhtml:span>. If the third-party provider fails to provide written certification to the licensee, the licensee shall comply with <xhtml:span class="iowaCodeRef">section 507F.7</xhtml:span>. The computation of the licensee’s deadlines pursuant to <xhtml:span class="iowaCodeRef">section 507F.7</xhtml:span> shall begin on the business day after the date on which the licensee’s third-party service provider notifies the licensee of a cybersecurity event, or the date on which the licensee has actual knowledge of the cybersecurity event, whichever date is earlier.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="iowaCodeRef">This section</xhtml:span> shall not be construed to prohibit or abrogate an agreement between a licensee and another licensee, a third-party service provider, or any other party for the other licensee, third-party service provider, or other party to execute the requirements under <xhtml:span class="iowaCodeRef">section 507F.6</xhtml:span> or <xhtml:span class="iowaCodeRef">section 507F.7</xhtml:span> on behalf of the licensee.</xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §9, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.10"><xhtml:div class="heading"><xhtml:span class="identifier">507F.10</xhtml:span><xhtml:span class="headnote">Cybersecurity event reinsurers.</xhtml:span></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">If a cybersecurity event involves nonpublic information used by, or that is in the possession, custody, or control of, a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with consumers affected by the cybersecurity event, the assuming insurer shall notify each of the assuming insurer’s affected ceding insurers and the commissioner of the assuming insurer’s state of domicile within three business days of determining that a cybersecurity event has occurred. A ceding insurer that has a direct contractual relationship with a consumer affected by the cybersecurity event shall comply with the applicable provisions of <xhtml:span class="iowaCodeRef">section 715C.2</xhtml:span>, and all other applicable notification requirements pursuant to federal or state law.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">If a cybersecurity event involves nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee that is acting as an assuming insurer, the assuming insurer shall notify each of the assuming insurer’s affected ceding insurers and the commissioner of the assuming insurer’s state of domicile within three business days of the date the assuming insurer receives notice from the assuming insurer’s third-party service provider that a cybersecurity event involving nonpublic information has occurred. A ceding insurer that has a direct contractual relationship with a consumer affected by the cybersecurity event shall comply with the applicable provisions of <xhtml:span class="iowaCodeRef">section 715C.2</xhtml:span>, and all other applicable notification requirements pursuant to federal or state law.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para">Notwithstanding any law to the contrary, a licensee acting as an assuming insurer shall have no other notice obligations related to a cybersecurity event or other data breach than the notice requirements pursuant to <xhtml:span class="iowaCodeRef">subsections 1 and 2</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §10, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.11"><xhtml:div class="heading"><xhtml:span class="identifier">507F.11</xhtml:span><xhtml:span class="headnote">Cybersecurity event <xhtml:span class="em-dash"/> producers of record.</xhtml:span></xhtml:div><xhtml:p class="para">If a cybersecurity event involves nonpublic information that is in the possession, custody, or control of a licensee that is an insurer, or in the possession, custody, or control of the insurer’s third-party service provider, and for which a consumer accessed the insurer’s services through an independent insurance producer, the insurer shall notify the insurance producer of record of each consumer affected by the cybersecurity event no later than the date on which notice is provided to affected consumers pursuant to <xhtml:span class="iowaCodeRef">section 507F.7</xhtml:span>. An insurer shall not be required to notify an insurance producer that is not authorized by law or contract to sell, solicit, or negotiate on behalf of the insurer, or in a circumstance in which the insurer does not have current contact information for the producer of record for a specific affected consumer.</xhtml:p><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §11, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.12"><xhtml:div class="heading"><xhtml:span class="identifier">507F.12</xhtml:span><xhtml:span class="headnote">Confidentiality.</xhtml:span></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">Documents, materials, and other information in the control or possession of the commissioner that are furnished by a licensee, or by an employee or agent of the licensee acting on behalf of the licensee, or that are obtained by the commissioner in an investigation or examination, shall be confidential by law and privileged, shall not constitute a public record under <xhtml:span class="iowaCodeRef">chapter 22</xhtml:span>, shall not be subject to subpoena or discovery, and shall not be admissible as evidence in a private civil action. The commissioner, however, shall be authorized to use the documents, materials, and other information in the furtherance of a regulatory or legal action brought as part of the commissioner’s official duties. The commissioner shall not otherwise make the documents, materials, and other information public without the prior written consent of the licensee.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">The commissioner, or an individual who receives documents, materials, or other information under the authority of the commissioner, shall not be permitted or required to testify in a private civil action concerning any documents, materials, or other information subject to <xhtml:span class="iowaCodeRef">subsection 1</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para">In order to assist in the performance of the commissioner’s duties under <xhtml:span class="iowaCodeRef">this chapter</xhtml:span>, the commissioner may:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">Share documents, materials, and other information, including documents, materials, and other information subject to <xhtml:span class="iowaCodeRef">subsection 1</xhtml:span>, with state, federal, and international regulatory agencies; the national association of insurance commissioners, its affiliates and subsidiaries; and with state, federal, and international law enforcement authorities, provided that the recipient certifies in writing that the recipient will maintain the confidentiality or privileged status of any documents, materials, or other information to which confidentiality or privileged status applies.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">Receive documents, materials, and other information, including confidential and privileged documents, materials, and other information from the national association of insurance commissioners, its affiliates and subsidiaries; and regulatory and law enforcement officials of foreign and domestic jurisdictions. The commissioner shall maintain as confidential or privileged any document, material, or other information received by the commissioner that is confidential or privileged, or that is received with notice or the understanding that it is confidential or privileged, under the laws of the jurisdiction that is the source of the document, material, or other information.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">Share documents, materials, or other information subject to <xhtml:span class="iowaCodeRef">subsection 1</xhtml:span> with a third-party consultant or vendor provided that the third-party consultant or vendor certifies in writing that the consultant or vendor will maintain the confidentiality and privileged status of the document, material, or other information.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">d</xhtml:span></xhtml:div><xhtml:p class="para">Enter into an agreement governing the sharing and use of documents, materials, or other information that is consistent with <xhtml:span class="iowaCodeRef">this subsection</xhtml:span>.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">4</xhtml:span></xhtml:div><xhtml:p class="para">No waiver of an applicable privilege or claim of confidentiality in a document, material, or other information shall occur as a result of disclosure of the document, material, or other information to the commissioner under <xhtml:span class="iowaCodeRef">this chapter</xhtml:span>, or as a result of the sharing of the document, material, or other information as authorized under <xhtml:span class="iowaCodeRef">this section</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">5</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="iowaCodeRef">This chapter</xhtml:span> shall not prohibit the commissioner from releasing final, adjudicated actions that are open to public inspection pursuant to <xhtml:span class="iowaCodeRef">chapter 22</xhtml:span>, to a database or other clearinghouse service maintained by the national association of insurance commissioners, or its affiliates and subsidiaries.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">6</xhtml:span></xhtml:div><xhtml:p class="para">Documents, materials, and other information received by the commissioner under <xhtml:span class="iowaCodeRef">this chapter</xhtml:span> and shared pursuant to <xhtml:span class="iowaCodeRef">subsection 3</xhtml:span>, shall be confidential by law and privileged, shall not constitute a public record under <xhtml:span class="iowaCodeRef">chapter 22</xhtml:span>, shall not be subject to subpoena or discovery, and shall not be admissible as evidence in a private civil action.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">7</xhtml:span></xhtml:div><xhtml:p class="para">Ownership of documents, materials, and other information shared under <xhtml:span class="iowaCodeRef">this chapter</xhtml:span> with the national association of insurance commissioners, its affiliates and subsidiaries, or a third-party consultant or vendor, remains with the commissioner, and use of the documents, materials, and other information by the national association of insurance commissioners, its affiliates and subsidiaries, or a third-party consultant or vendor is subject to the direction of the commissioner.</xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §12, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.13"><xhtml:div class="heading"><xhtml:span class="identifier">507F.13</xhtml:span><xhtml:span class="headnote">Applicability.</xhtml:span></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="iowaCodeRef">This chapter</xhtml:span> shall not apply to a licensee that is subject to, and in compliance with, the <xhtml:span class="USActsRef">Health Insurance Portability and Accountability Act</xhtml:span>. The licensee shall annually submit to the commissioner a written certification of the licensee’s compliance with HIPAA.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="iowaCodeRef">This chapter</xhtml:span> shall not apply to a licensee that is owned or controlled by a federally insured depository institution that is subject to, and in compliance with, the <xhtml:span class="USActsRef">Gramm-Leach-Bliley Act</xhtml:span> or comparable federal law and corresponding regulations.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para">A licensee shall have one hundred eighty days from the date the licensee no longer qualifies for exemption under <xhtml:span class="iowaCodeRef">subsection 1 or 2</xhtml:span> to comply with <xhtml:span class="iowaCodeRef">this chapter</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §13, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.14"><xhtml:div class="heading"><xhtml:span class="identifier">507F.14</xhtml:span><xhtml:span class="headnote">Penalties.</xhtml:span></xhtml:div><xhtml:p class="para">A licensee that violates <xhtml:span class="iowaCodeRef">this chapter</xhtml:span> shall be subject to penalties pursuant to <xhtml:span class="iowaCodeRef">section 505.7A</xhtml:span> and <xhtml:span class="iowaCodeRef">chapter 507B</xhtml:span>. </xhtml:p><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §14, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.15"><xhtml:div class="heading"><xhtml:span class="identifier">507F.15</xhtml:span><xhtml:span class="headnote">Rules and enforcement.</xhtml:span></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">The commissioner may adopt rules pursuant to <xhtml:span class="iowaCodeRef">chapter 17A</xhtml:span> as necessary to administer <xhtml:span class="iowaCodeRef">this chapter</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">The commissioner may take any enforcement action under the commissioner’s authority to enforce compliance with <xhtml:span class="iowaCodeRef">this chapter</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §15, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section><slim:Section class="codeSection" id="sec507F.16"><xhtml:div class="heading"><xhtml:span class="identifier">507F.16</xhtml:span><xhtml:span class="headnote">Severability.</xhtml:span></xhtml:div><xhtml:p class="para">If any provision of <xhtml:span class="iowaCodeRef">this chapter</xhtml:span> or its application to any person or circumstance is held invalid, the invalidity shall not affect other provisions or applications of <xhtml:span class="iowaCodeRef">this chapter</xhtml:span> which can be given effect without the invalid provision or application, and to this end the provisions of <xhtml:span class="iowaCodeRef">this chapter</xhtml:span> are severable.</xhtml:p><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2021 Acts, ch 79, §16, 17</xhtml:span></xhtml:div></xhtml:div></slim:Section></slim:Level></slim:Body></slim:Document>