House
File
719
-
Introduced
HOUSE
FILE
719
BY
COMMITTEE
ON
INFORMATION
TECHNOLOGY
(SUCCESSOR
TO
HSB
198)
A
BILL
FOR
An
Act
relating
to
standards
for
data
security,
and
1
investigations
and
notifications
of
cybersecurity
events,
2
for
certain
licensees
under
the
jurisdiction
of
the
3
commissioner
of
insurance,
making
penalties
applicable,
and
4
including
effective
date
provisions.
5
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
6
TLSB
1335HV
(2)
89
ko/rn
H.F.
719
Section
1.
NEW
SECTION
.
507F.1
Title.
1
This
chapter
may
be
cited
as
the
“Insurance
Data
Security
2
Act”
.
3
Sec.
2.
NEW
SECTION
.
507F.2
Purpose
and
scope.
4
1.
Notwithstanding
any
provision
of
law
to
the
contrary,
5
this
chapter
establishes
the
exclusive
state
standards
for
6
data
security,
and
the
investigation
and
notification
of
7
cybersecurity
events,
applicable
to
licensees.
8
2.
This
chapter
shall
not
be
construed
to
create
or
imply
9
a
private
cause
of
action
for
a
violation
of
its
provisions,
10
and
shall
not
be
construed
to
curtail
a
private
cause
of
action
11
that
otherwise
exists
in
the
absence
of
this
chapter.
12
Sec.
3.
NEW
SECTION
.
507F.3
Definitions.
13
As
used
in
this
chapter,
unless
the
context
otherwise
14
requires:
15
1.
“Authorized
individual”
means
an
individual
known
to
16
and
screened
by
a
licensee
and
determined
to
be
necessary
and
17
appropriate
to
have
access
to
nonpublic
information
held
by
the
18
licensee
and
the
licensee’s
information
system.
19
2.
“Commissioner”
means
the
commissioner
of
insurance.
20
3.
“Consumer”
means
an
individual,
including
but
not
limited
21
to
an
applicant,
policyholder,
insured,
beneficiary,
claimant,
22
or
certificate
holder,
who
is
a
resident
of
this
state
and
23
whose
nonpublic
information
is
in
a
licensee’s
possession,
24
custody,
or
control.
25
4.
“Cybersecurity
event”
means
an
event
resulting
in
26
unauthorized
access
to,
or
the
disruption
or
misuse
of,
an
27
information
system
or
of
nonpublic
information
stored
on
an
28
information
system.
“Cybersecurity
event”
does
not
include
any
29
of
the
following:
30
a.
The
unauthorized
acquisition
of
encrypted
nonpublic
31
information
if
the
encryption,
process,
or
key
is
not
also
32
acquired,
released,
or
used
without
authorization.
33
b.
An
event
for
which
a
licensee
has
determined
that
the
34
nonpublic
information
accessed
by
an
unauthorized
person
has
35
-1-
LSB
1335HV
(2)
89
ko/rn
1/
24
H.F.
719
not
been
used
or
released,
and
the
nonpublic
information
has
1
been
returned
or
destroyed.
2
5.
“Delivered
by
electronic
means”
means
delivery
to
an
3
electronic
mail
address
at
which
a
consumer
has
consented
to
4
receive
notices
or
documents.
5
6.
“Encrypted”
means
the
transformation
of
data
into
a
form
6
that
results
in
a
low
probability
of
assigning
meaning
to
the
7
data
without
the
use
of
a
protective
process
or
key.
8
7.
“Gramm-Leach-Bliley
Act”
means
the
Gramm-Leach-Bliley
Act
9
of
1999,
15
U.S.C.
§6801
et
seq.,
including
amendments
thereto
10
and
regulations
promulgated
thereunder.
11
8.
“Health
Insurance
Portability
and
Accountability
12
Act”
or
“HIPAA”
means
the
Health
Insurance
Portability
and
13
Accountability
Act
of
1996,
Pub.
L.
No.
104-191,
including
14
amendments
thereto
and
regulations
promulgated
thereunder.
15
9.
“Home
state”
means
the
same
as
defined
in
section
522B.1.
16
10.
“Information
security
program”
means
the
administrative,
17
technical,
and
physical
safeguards
that
a
licensee
uses
18
to
access,
collect,
distribute,
process,
protect,
store,
19
use,
transmit,
dispose
of,
or
otherwise
handle
nonpublic
20
information.
21
11.
“Information
system”
means
a
discrete
set
of
electronic
22
information
resources
organized
for
the
collection,
processing,
23
maintenance,
use,
sharing,
dissemination,
or
disposition
24
of
electronic
nonpublic
information,
and
any
specialized
25
system
such
as
an
industrial
or
process
controls
system,
a
26
telephone
switching
and
private
branch
exchange
system,
or
an
27
environmental
control
system.
28
12.
“Insurer”
means
the
same
as
defined
in
section
521A.1.
29
13.
“Licensee”
means
a
person
licensed,
authorized
to
30
operate,
or
registered,
or
a
person
required
to
be
licensed,
31
authorized
to
operate,
or
registered
pursuant
to
the
insurance
32
laws
of
this
state.
“Licensee”
does
not
include
a
purchasing
33
group
or
a
risk
retention
group
chartered
and
licensed
in
a
34
state
other
than
this
state,
or
a
person
acting
as
an
assuming
35
-2-
LSB
1335HV
(2)
89
ko/rn
2/
24
H.F.
719
insurer
that
is
domiciled
in
another
state
or
jurisdiction.
1
14.
“Multi-factor
authentication”
means
authentication
2
through
verification
of
at
least
two
of
the
following
types
of
3
authentication
factors:
4
a.
A
knowledge
factor,
such
as
a
password.
5
b.
A
possession
factor,
such
as
a
token
or
text
message
on
a
6
mobile
phone.
7
c.
An
inherence
factor,
such
as
a
biometric
characteristic.
8
15.
“Nonpublic
information”
means
electronic
information
9
that
is
not
publicly
available
information
and
that
is
any
of
10
the
following:
11
a.
Business-related
information
of
a
licensee
the
tampering
12
of
which,
or
unauthorized
disclosure,
access,
or
use
of
13
which,
will
cause
a
material
adverse
impact
to
the
business,
14
operations,
or
security
of
the
licensee.
15
b.
Information
concerning
a
consumer
which
can
be
used
to
16
identify
the
consumer
due
to
a
name,
number,
personal
mark,
or
17
other
identifier,
used
in
combination
with
any
one
or
more
of
18
the
following
data
elements:
19
(1)
A
social
security
number.
20
(2)
A
driver’s
license
number
or
a
nondriver
identification
21
card
number.
22
(3)
A
financial
account
number,
a
credit
card
number,
or
a
23
debit
card
number.
24
(4)
A
security
code,
an
access
code,
or
a
password
that
will
25
permit
access
to
a
consumer’s
financial
accounts.
26
(5)
A
biometric
record.
27
c.
Information
or
data,
except
age
or
gender,
in
any
form
or
28
medium
created
by
or
derived
from
a
health
care
provider
or
a
29
consumer,
and
that
relates
to
any
of
the
following:
30
(1)
The
past,
present,
or
future
physical,
mental
or
31
behavioral
health
or
condition
of
a
consumer,
or
a
member
of
32
the
consumer’s
family.
33
(2)
The
provision
of
health
care
services
to
a
consumer.
34
(3)
Payment
for
the
provision
of
health
care
services
to
a
35
-3-
LSB
1335HV
(2)
89
ko/rn
3/
24
H.F.
719
consumer.
1
16.
“Person”
means
an
individual
or
a
nongovernmental
2
entity,
including
but
not
limited
to
a
nongovernmental
3
partnership,
corporation,
branch,
agency,
or
association.
4
17.
“Publicly
available
information”
means
information
5
that
a
licensee
has
a
reasonable
basis
to
believe
is
lawfully
6
made
available
to
the
general
public
from
federal,
state,
or
7
local
government
records,
by
widely
distributed
media,
or
by
8
disclosure
to
the
general
public
as
required
by
federal,
state,
9
or
local
law.
For
purposes
of
this
definition,
a
licensee
has
10
a
reasonable
basis
to
believe
that
information
is
lawfully
made
11
available
to
the
general
public
if
the
licensee
has
determined
12
all
of
the
following:
13
a.
That
the
information
is
of
a
type
that
is
available
to
14
the
general
public.
15
b.
That
if
a
consumer
may
direct
that
the
information
not
16
be
made
available
to
the
general
public,
that
the
consumer
has
17
not
directed
that
the
information
not
be
made
available
to
the
18
general
public.
19
18.
“Risk
assessment”
means
the
assessment
that
a
licensee
20
is
required
to
conduct
pursuant
to
section
507F.4,
subsection
21
3.
22
19.
“Third-party
service
provider”
means
a
person
that
is
23
not
a
licensee
that
contracts
with
a
licensee
to
maintain,
24
process,
store,
or
is
otherwise
permitted
access
to
nonpublic
25
information
through
the
person’s
provision
of
services
to
the
26
licensee.
27
Sec.
4.
NEW
SECTION
.
507F.4
Information
security
program.
28
1.
a.
Commensurate
with
the
size
and
complexity
of
a
29
licensee,
the
nature
and
scope
of
a
licensee’s
activities
30
including
the
licensee’s
use
of
third-party
service
providers,
31
and
the
sensitivity
of
nonpublic
information
used
by
the
32
licensee
or
that
is
in
the
licensee’s
possession,
custody,
or
33
control,
the
licensee
shall
develop,
implement,
and
maintain
a
34
comprehensive
written
information
security
program
based
on
the
35
-4-
LSB
1335HV
(2)
89
ko/rn
4/
24
H.F.
719
licensee’s
risk
assessment
conducted
pursuant
to
subsection
3.
1
b.
This
section
shall
not
apply
to
any
of
the
following:
2
(1)
A
licensee
that
meets
any
of
the
following
criteria:
3
(a)
Has
fewer
than
twenty
individuals
on
its
workforce,
4
including
employees
and
independent
contractors.
5
(b)
Has
less
than
five
million
dollars
in
gross
annual
6
revenue.
7
(c)
Has
less
than
ten
million
dollars
in
year-end
total
8
assets.
9
(2)
An
employee,
agent,
representative,
or
designee
of
a
10
licensee,
and
the
employee,
agent,
representative,
or
designee
11
is
also
a
licensee,
if
the
employee,
agent,
representative,
or
12
designee
is
covered
by
the
information
security
program
of
the
13
other
licensee.
14
c.
A
licensee
shall
have
one
hundred
eighty
calendar
days
15
from
the
date
the
licensee
no
longer
qualifies
for
exemption
16
under
paragraph
“b”
to
comply
with
this
section.
17
2.
A
licensee’s
information
security
program
must
be
18
designed
to
do
all
of
the
following:
19
a.
Protect
the
security
and
confidentiality
of
nonpublic
20
information
and
the
security
of
the
licensee’s
information
21
system.
22
b.
Protect
against
threats
or
hazards
to
the
security
23
or
integrity
of
nonpublic
information
and
the
licensee’s
24
information
system.
25
c.
Protect
against
unauthorized
access
to
or
the
use
of
26
nonpublic
information,
and
minimize
the
likelihood
of
harm
to
27
any
consumer.
28
d.
Define
and
periodically
reevaluate
a
schedule
for
29
retention
of
nonpublic
information
and
a
mechanism
for
the
30
destruction
of
nonpublic
information
if
retention
is
no
longer
31
necessary
for
the
licensee’s
business
operations,
or
is
no
32
longer
required
by
applicable
law.
33
3.
A
licensee
shall
conduct
a
risk
assessment
that
34
accomplishes
all
of
the
following:
35
-5-
LSB
1335HV
(2)
89
ko/rn
5/
24
H.F.
719
a.
Designates
one
or
more
employees,
an
affiliate,
or
an
1
outside
vendor
to
act
on
behalf
of
the
licensee
and
that
has
2
responsibility
for
the
information
security
program.
3
b.
Identifies
reasonably
foreseeable
internal
or
external
4
threats
that
may
result
in
unauthorized
access,
transmission,
5
disclosure,
misuse,
alteration,
or
destruction
of
nonpublic
6
information,
including
nonpublic
information
that
is
accessible
7
to,
or
held
by,
a
third-party
service
provider.
8
c.
Assesses
the
probability
of,
and
the
potential
damage
9
caused
by,
the
threats
identified
in
paragraph
“b”
,
taking
into
10
consideration
the
sensitivity
of
nonpublic
information.
11
d.
Assesses
the
sufficiency
of
policies,
procedures,
12
information
systems,
and
other
safeguards
in
place
to
manage
13
the
threats
identified
in
paragraph
“b”
.
This
assessment
must
14
include
consideration
of
threats
identified
in
each
relevant
15
area
of
the
licensee’s
operations,
including
all
of
the
16
following:
17
(1)
Employee
training
and
management.
18
(2)
Information
systems,
including
network
and
software
19
design;
and
information
classification,
governance,
processing,
20
storage,
transmission,
and
disposal.
21
(3)
Detection,
prevention,
and
response
to
an
attack,
22
intrusion,
or
other
system
failure.
23
e.
Implements
information
safeguards
to
manage
threats
24
identified
in
the
licensee’s
ongoing
risk
assessments
and,
at
25
least
annually,
assesses
the
effectiveness
of
the
information
26
safeguards’
key
controls,
systems,
and
procedures.
27
4.
Based
on
the
risk
assessment
conducted
pursuant
to
28
subsection
3,
a
licensee
shall
do
all
of
the
following:
29
a.
Develop,
implement,
and
maintain
an
information
security
30
program
as
described
in
subsections
1
and
2.
31
b.
Determine
which
of
the
following
security
measures
are
32
appropriate
and
implement
each
appropriate
security
measure:
33
(1)
Place
access
controls
on
information
systems,
including
34
controls
to
authenticate
and
permit
access
only
to
authorized
35
-6-
LSB
1335HV
(2)
89
ko/rn
6/
24
H.F.
719
individuals
to
protect
against
the
unauthorized
acquisition
of
1
nonpublic
information.
2
(2)
Identify
and
manage
the
data,
personnel,
devices,
3
systems,
and
facilities
that
enable
the
licensee
to
achieve
4
its
business
purposes
in
accordance
with
the
data,
personnel,
5
devices,
systems,
and
facilities
relative
importance
to
the
6
licensee’s
business
objectives
and
risk
strategy.
7
(3)
Restrict
access
of
nonpublic
information
stored
in
or
at
8
physical
locations
to
authorized
individuals
only.
9
(4)
Protect
by
encryption
or
other
appropriate
means,
10
all
nonpublic
information
while
the
nonpublic
information
11
is
transmitted
over
an
external
network,
and
all
nonpublic
12
information
that
is
stored
on
a
laptop
computer,
a
portable
13
computing
or
storage
device,
or
portable
computing
or
storage
14
media.
15
(5)
Adopt
secure
development
practices
for
in-house
16
developed
applications
utilized
by
the
licensee,
and
procedures
17
for
evaluating,
assessing,
and
testing
the
security
of
18
externally
developed
applications
utilized
by
the
licensee.
19
(6)
Modify
information
systems
in
accordance
with
the
20
licensee’s
information
security
program.
21
(7)
Utilize
effective
controls,
which
may
include
22
multi-factor
authentication
procedures
for
authorized
23
individuals
accessing
nonpublic
information.
24
(8)
Regularly
test
and
monitor
systems
and
procedures
to
25
detect
actual
and
attempted
attacks
on,
or
intrusions
into,
26
information
systems.
27
(9)
Include
audit
trails
within
the
information
security
28
program
designed
to
detect
and
respond
to
cybersecurity
events,
29
and
designed
to
reconstruct
material
financial
transactions
30
sufficient
to
support
the
normal
business
operations
and
31
obligations
of
the
licensee.
32
(10)
Implement
measures
to
protect
against
the
destruction,
33
loss,
or
damage
of
nonpublic
information
due
to
environmental
34
hazards,
natural
disasters,
catastrophes,
or
technological
35
-7-
LSB
1335HV
(2)
89
ko/rn
7/
24
H.F.
719
failures.
1
(11)
Develop,
implement,
and
maintain
procedures
for
the
2
secure
disposal
of
nonpublic
information
that
is
contained
in
3
any
format.
4
c.
Include
cybersecurity
risks
in
the
licensee’s
5
enterprise-wide
risk
management
process.
6
d.
Maintain
knowledge
and
understanding
of
emerging
threats
7
or
vulnerabilities
and
utilize
reasonable
security
measures,
8
relative
to
the
character
of
the
sharing
and
the
type
of
9
information
being
shared,
when
sharing
information.
10
e.
Provide
the
licensee’s
personnel
with
cybersecurity
11
awareness
training
that
is
updated
as
necessary
to
reflect
12
risks
identified
by
the
licensee’s
risk
assessment.
13
5.
a.
If
a
licensee
has
a
board
of
directors,
the
board
14
or
an
appropriate
committee
of
the
board
shall
at
a
minimum
15
require
the
licensee’s
executive
management
or
the
executive
16
management’s
delegates
to:
17
(1)
Develop,
implement,
and
maintain
the
licensee’s
18
information
security
program.
19
(2)
Provide
a
written
report
to
the
board,
at
least
20
annually,
that
documents
all
of
the
following:
21
(a)
The
overall
status
of
the
licensee’s
information
22
security
program
and
the
licensee’s
compliance
with
this
23
chapter.
24
(b)
Material
matters
related
to
the
licensee’s
information
25
security
program
including
issues
such
as
risk
assessment;
risk
26
management
and
control
decisions;
third-party
service
provider
27
arrangements;
results
of
testing,
cybersecurity
events,
or
28
violations;
management’s
response
to
cybersecurity
events
or
29
violations;
and
recommendations
for
changes
in
the
licensee’s
30
information
security
program.
31
b.
If
a
licensee’s
executive
management
delegates
any
of
its
32
responsibilities
under
this
section
the
executive
management
33
shall
oversee
the
delegate’s
development,
implementation,
and
34
maintenance
of
the
licensee’s
information
security
program,
and
35
-8-
LSB
1335HV
(2)
89
ko/rn
8/
24
H.F.
719
shall
require
the
delegate
to
submit
an
annual
written
report
1
to
executive
management
that
contains
the
information
required
2
under
paragraph
“a”
,
subparagraph
(2).
If
the
licensee
has
a
3
board
of
directors,
the
executive
management
shall
provide
a
4
copy
of
the
report
to
the
board.
5
6.
A
licensee
shall
monitor,
evaluate,
and
adjust
the
6
licensee’s
information
security
program
consistent
with
7
relevant
changes
in
technology,
the
sensitivity
of
the
8
licensee’s
nonpublic
information,
changes
to
the
licensee’s
9
information
systems,
internal
or
external
threats
to
the
10
licensee’s
nonpublic
information,
and
the
licensee’s
changing
11
business
arrangements,
including
but
not
limited
to
mergers
and
12
acquisitions,
alliances
and
joint
ventures,
and
outsourcing
13
arrangements.
14
7.
As
part
of
a
licensee’s
information
security
program,
15
a
licensee
shall
establish
a
written
incident
response
16
plan
designed
to
promptly
respond
to,
and
recover
from,
a
17
cybersecurity
event
that
compromises
the
confidentiality,
18
integrity,
or
availability
of
nonpublic
information
in
the
19
licensee’s
possession,
the
licensee’s
information
systems,
or
20
the
continuing
functionality
of
any
aspect
of
the
licensee’s
21
operations.
The
written
incident
response
plan
must
address
22
all
of
the
following:
23
a.
The
licensee’s
internal
process
for
responding
to
a
24
cybersecurity
event.
25
b.
The
goals
of
the
licensee’s
incident
response
plan.
26
c.
The
assignment
of
clear
roles,
responsibilities,
27
and
levels
of
decision-making
authority
for
the
licensee’s
28
personnel
that
participate
in
the
incident
response
plan.
29
d.
External
communications,
internal
communications,
and
30
information
sharing
related
to
a
cybersecurity
event.
31
e.
The
identification
of
remediation
requirements
for
32
weaknesses
identified
in
information
systems
and
associated
33
controls.
34
f.
Documentation
and
reporting
regarding
cybersecurity
35
-9-
LSB
1335HV
(2)
89
ko/rn
9/
24
H.F.
719
events
and
related
incident
response
activities.
1
g.
The
evaluation
and
revision
of
the
incident
response
2
plan,
as
appropriate,
following
a
cybersecurity
event.
3
8.
An
insurer
domiciled
in
this
state
shall
annually
4
submit
to
the
commissioner
on
or
before
April
15
a
written
5
certification
that
the
insurer
is
in
compliance
with
this
6
section.
Each
insurer
shall
maintain
all
records,
schedules,
7
documentation,
and
data
supporting
the
insurer’s
certification
8
for
five
years.
To
the
extent
an
insurer
has
identified
an
9
area,
system,
or
process
that
requires
material
improvement,
10
updating,
or
redesign,
the
insurer
shall
document
the
process
11
used
to
identify
the
area,
system,
or
process,
and
the
12
remediation
that
has
been
implemented,
or
will
be
implemented,
13
to
address
the
area,
system,
or
process.
All
records,
14
schedules,
documentation,
and
data
described
in
this
subsection
15
shall
be
made
available
for
inspection
by
the
commissioner,
16
or
the
commissioner’s
representative,
upon
request
of
the
17
commissioner.
18
9.
Licensees
shall
comply
with
this
section
no
later
than
19
January
1,
2023.
20
Sec.
5.
NEW
SECTION
.
507F.5
Third-party
service
provider
21
arrangements.
22
1.
A
licensee
shall
exercise
due
diligence
in
the
selection
23
of
third-party
service
providers,
conduct
oversight
of
24
all
third-party
service
provider
arrangements,
and
require
25
all
third-party
service
providers
to
implement
appropriate
26
administrative,
technical,
and
physical
measures
to
protect
27
and
secure
the
information
systems
and
nonpublic
information
28
that
are
accessible
to,
or
held
by,
the
licensee’s
third-party
29
service
providers.
30
2.
Licensees
shall
comply
with
this
section
no
later
than
31
January
1,
2024.
32
Sec.
6.
NEW
SECTION
.
507F.6
Cybersecurity
event
——
33
investigation.
34
1.
If
a
licensee
discovers
that
a
cybersecurity
event
has
35
-10-
LSB
1335HV
(2)
89
ko/rn
10/
24
H.F.
719
occurred,
or
that
a
cybersecurity
event
may
have
occurred,
the
1
licensee,
or
the
outside
vendor
or
third-party
service
provider
2
the
licensee
has
designated
to
act
on
behalf
of
the
licensee,
3
shall
conduct
a
prompt
investigation
of
the
event.
4
2.
During
the
investigation,
the
licensee,
outside
vendor,
5
or
third-party
service
provider
the
licensee
has
designated
to
6
act
on
behalf
of
the
licensee,
shall,
at
a
minimum,
determine
7
as
much
of
the
following
as
possible:
8
a.
Confirm
that
a
cybersecurity
event
has
occurred.
9
b.
Assess
the
nature
and
scope
of
the
cybersecurity
event.
10
c.
Identify
all
nonpublic
information
that
may
have
been
11
compromised
by
the
cybersecurity
event.
12
d.
Perform
or
oversee
reasonable
measures
to
restore
the
13
security
of
any
compromised
information
systems
in
order
to
14
prevent
further
unauthorized
acquisition,
release,
or
use
of
15
nonpublic
information
that
is
in
the
licensee’s
possession,
16
custody,
or
control.
17
3.
If
a
licensee
learns
that
a
cybersecurity
event
has
18
occurred,
or
may
have
occurred,
in
an
information
system
19
maintained
by
a
third-party
service
provider
of
the
licensee,
20
the
licensee
shall
complete
an
investigation
in
compliance
with
21
this
section,
or
confirm
and
document
that
the
third-party
22
service
provider
has
completed
an
investigation
in
compliance
23
with
this
section.
24
4.
A
licensee
shall
maintain
all
records
and
documentation
25
related
to
the
licensee’s
investigation
of
a
cybersecurity
26
event
for
a
minimum
of
five
years
from
the
date
of
the
event,
27
and
shall
produce
the
records
and
documentation
upon
demand
of
28
the
commissioner.
29
Sec.
7.
NEW
SECTION
.
507F.7
Cybersecurity
event
——
30
notification
and
report
to
the
commissioner.
31
1.
A
licensee
shall
notify
the
commissioner
no
later
32
than
three
business
days
from
the
date
of
the
licensee’s
33
confirmation
of
a
cybersecurity
event
if
any
of
the
following
34
conditions
apply:
35
-11-
LSB
1335HV
(2)
89
ko/rn
11/
24
H.F.
719
a.
The
licensee
is
an
insurer
who
is
domiciled
in
this
1
state,
or
is
a
producer
whose
home
state
is
this
state,
and
any
2
of
the
following
apply:
3
(1)
The
laws
of
this
state
or
federal
law
requires
that
4
notice
of
the
cybersecurity
event
be
given
by
the
licensee
to
a
5
government
body,
self-regulatory
agency,
or
other
supervisory
6
body.
7
(2)
The
cybersecurity
event
has
a
reasonable
likelihood
8
of
causing
material
harm
to
a
material
part
of
the
normal
9
business,
operations,
or
security
of
the
licensee.
10
b.
The
licensee
reasonably
believes
that
nonpublic
11
information
compromised
by
the
cybersecurity
event
involves
two
12
hundred
fifty
or
more
consumers
and
either
of
the
following
13
apply:
14
(1)
State
or
federal
law
requires
that
notice
of
the
15
cybersecurity
event
be
given
by
the
licensee
to
a
government
16
body,
self-regulatory
agency,
or
other
supervisory
body.
17
(2)
The
cybersecurity
event
has
a
reasonable
likelihood
of
18
causing
material
harm
to
a
consumer,
or
to
a
material
part
of
19
the
normal
business,
operations,
or
security
of
the
licensee.
20
2.
A
licensee’s
notification
to
the
commissioner
pursuant
21
to
subsection
1
shall
provide,
in
the
form
and
manner
22
prescribed
by
the
commissioner
by
rule,
as
much
of
the
23
following
information
as
is
available
to
the
licensee
at
the
24
time
of
the
notification:
25
a.
The
date
and
time
of
the
cybersecurity
event.
26
b.
A
description
of
how
nonpublic
information
was
exposed,
27
lost,
stolen,
or
breached,
including
the
specific
roles
28
and
responsibilities
of
the
licensee’s
third-party
service
29
providers,
if
any.
30
c.
How
the
licensee
discovered
or
became
aware
of
the
31
cybersecurity
event.
32
d.
If
any
lost,
stolen,
or
breached
nonpublic
information
33
has
been
recovered
and
if
so,
how
the
recovery
occurred.
34
e.
The
identity
of
the
source
of
the
cybersecurity
event.
35
-12-
LSB
1335HV
(2)
89
ko/rn
12/
24
H.F.
719
f.
The
identity
of
any
regulatory,
governmental,
or
law
1
enforcement
agencies
the
licensee
has
notified,
and
the
date
2
and
time
of
each
notification.
3
g.
A
description
of
the
specific
types
of
nonpublic
4
information
that
were
lost,
stolen,
or
breached.
5
h.
The
total
number
of
consumers
affected
by
the
6
cybersecurity
event.
The
licensee
shall
provide
the
best
7
estimate
of
affected
consumers
in
the
licensee’s
initial
report
8
to
the
commissioner
and
shall
update
the
estimate
in
each
9
subsequent
report
to
the
commissioner
under
subsection
3.
10
i.
The
results
of
any
internal
review
conducted
by
the
11
licensee
that
identified
a
lapse
in
the
licensee’s
automated
12
controls
or
internal
procedures,
or
that
confirmed
the
13
licensee’s
compliance
with
all
automated
controls
or
internal
14
procedures.
15
j.
A
description
of
the
licensee’s
efforts
to
remediate
the
16
circumstances
that
allowed
the
cybersecurity
event.
17
k.
A
copy
of
the
licensee’s
privacy
policy.
18
l.
A
statement
outlining
the
steps
the
licensee
is
taking
19
to
identify
and
notify
consumers
affected
by
the
cybersecurity
20
event.
21
m.
The
contact
information
for
the
individual
authorized
22
to
act
on
behalf
of
the
licensee
and
who
is
also
knowledgeable
23
regarding
the
cybersecurity
event.
24
3.
A
licensee
shall
have
a
continuing
obligation
to
update
25
and
supplement
the
licensee’s
initial
notification
to
the
26
commissioner
as
material
changes
to
information
previously
27
provided
to
the
commissioner
occur.
28
Sec.
8.
NEW
SECTION
.
507F.8
Cybersecurity
event
——
29
notification
to
consumers.
30
1.
In
the
event
of
a
cybersecurity
event
involving
nonpublic
31
information
a
licensee
shall
comply
with
the
notification
32
requirements
pursuant
to
section
715C.2,
and
all
other
33
applicable
notification
requirements
pursuant
to
federal
or
34
state
law.
35
-13-
LSB
1335HV
(2)
89
ko/rn
13/
24
H.F.
719
2.
If
a
licensee
is
required
to
provide
notice
of
a
1
cybersecurity
event
to
the
commissioner
pursuant
to
section
2
507F.7,
subsection
1,
the
licensee
shall
submit
to
the
3
commissioner
a
copy
of
the
consumer
notices
provided
by
the
4
licensee
to
consumers
under
this
section.
5
Sec.
9.
NEW
SECTION
.
507F.9
Cybersecurity
event
——
6
third-party
service
providers.
7
1.
If
a
licensee
becomes
aware
of
a
cybersecurity
8
event
in
an
information
system
maintained
by
a
third-party
9
service
provider
of
the
licensee,
the
licensee
shall
comply
10
with
section
507F.7,
or
the
licensee
may
obtain
a
written
11
certification
from
the
third-party
service
provider
that
12
the
provider
is
in
compliance
with
section
507F.7.
If
the
13
third-party
provider
fails
to
provide
written
certification
to
14
the
licensee,
the
licensee
shall
comply
with
section
507F.7.
15
The
computation
of
the
licensee’s
deadlines
pursuant
to
section
16
507F.7
shall
begin
on
the
business
day
after
the
date
on
17
which
the
licensee’s
third-party
service
provider
notifies
18
the
licensee
of
a
cybersecurity
event,
or
the
date
on
which
19
the
licensee
has
actual
knowledge
of
the
cybersecurity
event,
20
whichever
date
is
earlier.
21
2.
This
section
shall
not
be
construed
to
prohibit
or
22
abrogate
an
agreement
between
a
licensee
and
another
licensee,
23
a
third-party
service
provider,
or
any
other
party
for
the
24
other
licensee,
third-party
service
provider,
or
other
party
to
25
execute
the
requirements
under
section
507F.6
or
section
507F.7
26
on
behalf
of
the
licensee.
27
Sec.
10.
NEW
SECTION
.
507F.10
Cybersecurity
event
28
reinsurers.
29
1.
If
a
cybersecurity
event
involves
nonpublic
information
30
used
by,
or
that
is
in
the
possession,
custody,
or
control
31
of,
a
licensee
that
is
acting
as
an
assuming
insurer
and
that
32
does
not
have
a
direct
contractual
relationship
with
consumers
33
affected
by
the
cybersecurity
event,
the
assuming
insurer
34
shall
notify
each
of
the
assuming
insurer’s
affected
ceding
35
-14-
LSB
1335HV
(2)
89
ko/rn
14/
24
H.F.
719
insurers
and
the
commissioner
of
the
assuming
insurer’s
state
1
of
domicile
within
three
business
days
of
determining
that
a
2
cybersecurity
event
has
occurred.
A
ceding
insurer
that
has
a
3
direct
contractual
relationship
with
a
consumer
affected
by
the
4
cybersecurity
event
shall
comply
with
the
applicable
provisions
5
of
section
715C.2,
and
all
other
applicable
notification
6
requirements
pursuant
to
federal
or
state
law.
7
2.
If
a
cybersecurity
event
involves
nonpublic
information
8
that
is
in
the
possession,
custody,
or
control
of
a
third-party
9
service
provider
of
a
licensee
that
is
acting
as
an
assuming
10
insurer,
the
assuming
insurer
shall
notify
each
of
the
assuming
11
insurer’s
affected
ceding
insurers
and
the
commissioner
of
the
12
assuming
insurer’s
state
of
domicile
within
three
business
13
days
of
the
date
the
assuming
insurer
receives
notice
from
14
the
assuming
insurer’s
third-party
service
provider
that
15
a
cybersecurity
event
involving
nonpublic
information
has
16
occurred.
A
ceding
insurer
that
has
a
direct
contractual
17
relationship
with
a
consumer
affected
by
the
cybersecurity
18
event
shall
comply
with
the
applicable
provisions
of
section
19
715C.2,
and
all
other
applicable
notification
requirements
20
pursuant
to
federal
or
state
law.
21
3.
Notwithstanding
any
law
to
the
contrary,
a
licensee
22
acting
as
an
assuming
insurer
shall
have
no
other
notice
23
obligations
related
to
a
cybersecurity
event
or
other
data
24
breach
than
the
notice
requirements
pursuant
to
subsections
1
25
and
2.
26
Sec.
11.
NEW
SECTION
.
507F.11
Cybersecurity
event
——
27
producers
of
record.
28
If
a
cybersecurity
event
involves
nonpublic
information
29
that
is
in
the
possession,
custody,
or
control
of
a
licensee
30
that
is
an
insurer,
or
in
the
possession,
custody,
or
control
31
of
the
insurer’s
third-party
service
provider,
and
for
32
which
a
consumer
accessed
the
insurer’s
services
through
an
33
independent
insurance
producer,
the
insurer
shall
notify
the
34
insurance
producer
of
record
of
each
consumer
affected
by
the
35
-15-
LSB
1335HV
(2)
89
ko/rn
15/
24
H.F.
719
cybersecurity
event
no
later
than
the
date
on
which
notice
is
1
provided
to
affected
consumers
pursuant
to
section
507F.7.
An
2
insurer
shall
not
be
required
to
notify
an
insurance
producer
3
that
is
not
authorized
by
law
or
contract
to
sell,
solicit,
or
4
negotiate
on
behalf
of
the
insurer,
or
in
a
circumstance
in
5
which
the
insurer
does
not
have
current
contact
information
for
6
the
producer
of
record
for
a
specific
affected
consumer.
7
Sec.
12.
NEW
SECTION
.
507F.12
Confidentiality.
8
1.
Documents,
materials,
and
other
information
in
the
9
control
or
possession
of
the
commissioner
that
are
furnished
10
by
a
licensee,
or
by
an
employee
or
agent
of
the
licensee
11
acting
on
behalf
of
the
licensee,
or
that
are
obtained
by
12
the
commissioner
in
an
investigation
or
examination,
shall
13
be
confidential
by
law
and
privileged,
shall
not
constitute
14
a
public
record
under
chapter
22,
shall
not
be
subject
to
15
subpoena
or
discovery,
and
shall
not
be
admissible
as
evidence
16
in
a
private
civil
action.
The
commissioner,
however,
shall
17
be
authorized
to
use
the
documents,
materials,
and
other
18
information
in
the
furtherance
of
a
regulatory
or
legal
action
19
brought
as
part
of
the
commissioner’s
official
duties.
The
20
commissioner
shall
not
otherwise
make
the
documents,
materials,
21
and
other
information
public
without
the
prior
written
consent
22
of
the
licensee.
23
2.
The
commissioner,
or
an
individual
who
receives
24
documents,
materials,
or
other
information
under
the
authority
25
of
the
commissioner,
shall
not
be
permitted
or
required
to
26
testify
in
a
private
civil
action
concerning
any
documents,
27
materials,
or
other
information
subject
to
subsection
1.
28
3.
In
order
to
assist
in
the
performance
of
the
29
commissioner’s
duties
under
this
chapter,
the
commissioner
may:
30
a.
Share
documents,
materials,
and
other
information,
31
including
documents,
materials,
and
other
information
subject
32
to
subsection
1,
with
state,
federal,
and
international
33
regulatory
agencies;
the
national
association
of
insurance
34
commissioners,
its
affiliates
and
subsidiaries;
and
with
35
-16-
LSB
1335HV
(2)
89
ko/rn
16/
24
H.F.
719
state,
federal,
and
international
law
enforcement
authorities,
1
provided
that
the
recipient
certifies
in
writing
that
the
2
recipient
will
maintain
the
confidentiality
or
privileged
3
status
of
any
documents,
materials,
or
other
information
to
4
which
confidentiality
or
privileged
status
applies.
5
b.
Receive
documents,
materials,
and
other
information,
6
including
confidential
and
privileged
documents,
materials,
7
and
other
information
from
the
national
association
of
8
insurance
commissioners,
its
affiliates
and
subsidiaries;
9
and
regulatory
and
law
enforcement
officials
of
foreign
and
10
domestic
jurisdictions.
The
commissioner
shall
maintain
as
11
confidential
or
privileged
any
document,
material,
or
other
12
information
received
by
the
commissioner
that
is
confidential
13
or
privileged,
or
that
is
received
with
notice
or
the
14
understanding
that
it
is
confidential
or
privileged,
under
the
15
laws
of
the
jurisdiction
that
is
the
source
of
the
document,
16
material,
or
other
information.
17
c.
Share
documents,
materials,
or
other
information
subject
18
to
subsection
1
with
a
third-party
consultant
or
vendor
19
provided
that
the
third-party
consultant
or
vendor
certifies
20
in
writing
that
the
consultant
or
vendor
will
maintain
the
21
confidentiality
and
privileged
status
of
the
document,
22
material,
or
other
information.
23
d.
Enter
into
an
agreement
governing
the
sharing
and
use
of
24
documents,
materials,
or
other
information
that
is
consistent
25
with
this
subsection.
26
4.
No
waiver
of
an
applicable
privilege
or
claim
of
27
confidentiality
in
a
document,
material,
or
other
information
28
shall
occur
as
a
result
of
disclosure
of
the
document,
29
material,
or
other
information
to
the
commissioner
under
30
this
chapter,
or
as
a
result
of
the
sharing
of
the
document,
31
material,
or
other
information
as
authorized
under
this
32
section.
33
5.
This
chapter
shall
not
prohibit
the
commissioner
from
34
releasing
final,
adjudicated
actions
that
are
open
to
public
35
-17-
LSB
1335HV
(2)
89
ko/rn
17/
24
H.F.
719
inspection
pursuant
to
chapter
22,
to
a
database
or
other
1
clearinghouse
service
maintained
by
the
national
association
of
2
insurance
commissioners,
or
its
affiliates
and
subsidiaries.
3
6.
Documents,
materials,
and
other
information
received
4
by
the
commissioner
under
this
chapter
and
shared
pursuant
to
5
subsection
3,
shall
be
confidential
by
law
and
privileged,
6
shall
not
constitute
a
public
record
under
chapter
22,
shall
7
not
be
subject
to
subpoena
or
discovery,
and
shall
not
be
8
admissible
as
evidence
in
a
private
civil
action.
9
7.
Ownership
of
documents,
materials,
and
other
information
10
shared
under
this
chapter
with
the
national
association
of
11
insurance
commissioners,
its
affiliates
and
subsidiaries,
12
or
a
third-party
consultant
or
vendor,
remains
with
the
13
commissioner,
and
use
of
the
documents,
materials,
and
14
other
information
by
the
national
association
of
insurance
15
commissioners,
its
affiliates
and
subsidiaries,
or
a
16
third-party
consultant
or
vendor
is
subject
to
the
direction
of
17
the
commissioner.
18
Sec.
13.
NEW
SECTION
.
507F.13
Applicability.
19
1.
This
chapter
shall
not
apply
to
a
licensee
that
is
20
subject
to,
and
in
compliance
with,
the
Health
Insurance
21
Portability
and
Accountability
Act.
The
licensee
shall
22
annually
submit
to
the
commissioner
a
written
certification
of
23
the
licensee’s
compliance
with
HIPAA.
24
2.
This
chapter
shall
not
apply
to
a
licensee
that
25
is
owned
or
controlled
by
a
federally
insured
depository
26
institution
that
is
subject
to,
and
in
compliance
with,
27
the
Gramm-Leach-Bliley
Act
or
comparable
federal
law
and
28
corresponding
regulations.
29
3.
A
licensee
shall
have
one
hundred
eighty
days
from
the
30
date
the
licensee
no
longer
qualifies
for
exemption
under
31
subsection
1
or
2
to
comply
with
this
chapter.
32
Sec.
14.
NEW
SECTION
.
507F.14
Penalties.
33
A
licensee
that
violates
this
chapter
shall
be
subject
to
34
penalties
pursuant
to
section
505.7A
and
chapter
507B.
35
-18-
LSB
1335HV
(2)
89
ko/rn
18/
24
H.F.
719
Sec.
15.
NEW
SECTION
.
507F.15
Rules
and
enforcement.
1
1.
The
commissioner
may
adopt
rules
pursuant
to
chapter
17A
2
as
necessary
to
administer
this
chapter.
3
2.
The
commissioner
may
take
any
enforcement
action
under
4
the
commissioner’s
authority
to
enforce
compliance
with
this
5
chapter.
6
Sec.
16.
NEW
SECTION
.
507F.16
Severability.
7
If
any
provision
of
this
chapter
or
its
application
to
any
8
person
or
circumstance
is
held
invalid,
the
invalidity
shall
9
not
affect
other
provisions
or
applications
of
this
chapter
10
which
can
be
given
effect
without
the
invalid
provision
or
11
application,
and
to
this
end
the
provisions
of
this
chapter
are
12
severable.
13
Sec.
17.
EFFECTIVE
DATE.
This
Act
takes
effect
January
1,
14
2022.
15
EXPLANATION
16
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
17
the
explanation’s
substance
by
the
members
of
the
general
assembly.
18
This
bill
relates
to
the
exclusive
state
standards
for
data
19
security,
and
investigations
and
notifications
of
cybersecurity
20
events,
for
certain
licensees
under
the
jurisdiction
of
the
21
commissioner
of
insurance.
The
bill
is
based
on
the
national
22
association
of
insurance
commissioners’
(NAIC)
insurance
data
23
security
model
law.
24
“Licensee”
is
defined
in
the
bill
as
a
person
licensed,
25
authorized
to
operate,
or
registered,
or
required
to
be
26
licensed,
authorized
to
operate,
or
registered
pursuant
to
the
27
insurance
laws
of
this
state.
“Licensee”
does
not
include
28
a
purchasing
group
or
a
risk
retention
group
chartered
and
29
licensed
in
a
state
other
than
this
state,
or
a
person
acting
30
as
an
assuming
insurer
that
is
domiciled
in
another
state
or
31
jurisdiction.
The
bill
does
not
create
or
imply
a
private
32
cause
of
action
for
a
violation
of
its
provisions,
and
does
not
33
curtail
a
private
cause
of
action
that
would
otherwise
exist
in
34
the
absence
of
the
bill.
35
-19-
LSB
1335HV
(2)
89
ko/rn
19/
24
H.F.
719
The
bill
requires
licensees
to
develop,
implement,
and
1
maintain
a
comprehensive
written
information
security
program
2
(program)
based
on
the
licensee’s
risk
assessment
(assessment)
3
conducted
pursuant
to
the
bill.
Licensees
must
comply
with
4
the
program
requirements
no
later
than
January
1,
2023.
The
5
program
must
safeguard
the
licensee’s
nonpublic
information
6
and
information
system.
“Information
system”
is
defined
in
7
the
bill
as
a
discrete
set
of
electronic
information
resources
8
organized
for
the
collection,
processing,
maintenance,
use,
9
sharing,
dissemination,
or
disposition
of
electronic
nonpublic
10
information,
and
any
specialized
system
such
as
an
industrial
11
or
process
controls
system,
a
telephone
switching
and
private
12
branch
exchange
system,
or
an
environmental
control
system.
13
“Nonpublic
information”
is
also
defined
in
the
bill.
Certain
14
licensees
and
other
persons
are
exempt
from
the
program
15
requirement
as
detailed
in
the
bill.
The
bill
requires
a
16
licensee’s
program
to
protect
the
security
and
confidentiality
17
of
nonpublic
information
and
the
security
of
the
information
18
system,
to
protect
against
threats
or
hazards
to
the
security
19
or
integrity
of
nonpublic
information
and
the
information
20
system,
to
protect
against
unauthorized
access
to
or
the
use
of
21
nonpublic
information,
to
minimize
the
likelihood
of
harm
to
22
consumers,
and
to
define
and
periodically
reevaluate
a
schedule
23
for
the
retention
and
destruction
of
nonpublic
information.
24
A
licensee’s
assessment
must
designate
one
or
more
25
employees,
an
affiliate,
or
an
outside
vendor
to
act
on
26
behalf
of
the
licensee
and
to
have
responsibility
for
the
27
program;
identify
reasonably
foreseeable
internal
or
external
28
threats
that
may
result
in
unauthorized
access,
transmission,
29
disclosure,
misuse,
alteration,
or
destruction
of
nonpublic
30
information,
including
nonpublic
information
that
is
accessible
31
to,
or
held
by,
a
third-party
service
provider;
assess
the
32
probability
of
and
the
potential
damage
caused
by
identified
33
threats;
and
assess
the
sufficiency
of
policies,
procedures,
34
information
systems,
and
other
safeguards
in
place
to
manage
35
-20-
LSB
1335HV
(2)
89
ko/rn
20/
24
H.F.
719
identified
threats.
The
assessment
must
include
consideration
1
of
threats
identified
in
each
relevant
area
of
the
licensee’s
2
operations.
3
Based
on
a
licensee’s
assessment,
the
bill
requires
4
the
licensee
to
design
the
program
to
mitigate
identified
5
risks,
to
determine
and
implement
appropriate
security
6
measures,
to
include
cybersecurity
risks
in
the
licensee’s
7
enterprise-wide
risk
management
process,
to
maintain
knowledge
8
and
understanding
of
emerging
threats
or
vulnerabilities,
to
9
utilize
reasonable
security
measures
when
sharing
information,
10
and
to
provide
the
licensee’s
personnel
with
cybersecurity
11
awareness
training.
12
If
a
licensee
has
a
board
of
directors,
the
bill
directs
13
the
board
to
require
the
licensee’s
executive
management
14
or
its
delegates
to
develop,
implement,
and
maintain
the
15
licensee’s
program,
and
to
provide
an
annual
report
to
the
16
board
that
documents
the
information
specified
in
the
bill.
17
If
a
licensee’s
executive
management
delegates
any
of
its
18
responsibilities,
it
must
oversee
the
delegate’s
development,
19
implementation,
and
maintenance
of
the
licensee’s
program.
20
As
part
of
a
licensee’s
program,
the
bill
requires
the
21
licensee
to
establish
a
written
incident
response
plan
(plan)
22
designed
to
respond
to,
and
recover
from,
a
cybersecurity
23
event
that
compromises
the
confidentiality,
integrity,
or
24
availability
of
nonpublic
information
in
the
licensee’s
25
possession
or
information
systems;
or
that
compromises
26
the
continuing
functionality
of
the
licensee’s
operations.
27
The
plan
must
address
all
criteria
specified
in
the
bill.
28
“Cybersecurity
event”
is
defined
in
the
bill
as
an
event
29
resulting
in
unauthorized
access
to,
or
the
disruption
or
30
misuse
of,
an
information
system
or
of
nonpublic
information
31
stored
on
an
information
system.
“Cybersecurity
event”
does
32
not
include
the
unauthorized
acquisition
of
encrypted
nonpublic
33
information
if
the
encryption,
process,
or
key
is
not
also
34
acquired,
released,
or
used
without
authorization;
or
an
35
-21-
LSB
1335HV
(2)
89
ko/rn
21/
24
H.F.
719
event
for
which
a
licensee
has
determined
that
the
nonpublic
1
information
accessed
by
an
unauthorized
person
has
not
been
2
used
or
released,
and
the
nonpublic
information
has
been
3
returned
or
destroyed.
Insurers
domiciled
in
this
state
must
4
submit
an
annual
certification
to
the
commissioner
that
the
5
insurer
is
in
compliance
with
the
plan
requirements.
6
The
bill
requires
a
licensee
to
exercise
due
diligence
in
7
the
selection
of
a
third-party
service
provider
(provider),
8
to
conduct
oversight
of
all
provider
arrangements,
and
to
9
require
all
providers
to
implement
appropriate
administrative,
10
technical,
and
physical
measures
to
protect
and
secure
11
the
information
systems
and
nonpublic
information
that
are
12
accessible
to,
or
held
by,
the
provider.
Licensees
must
13
comply
with
these
requirements
no
later
than
January
1,
2024.
14
“Third-party
service
provider”
is
defined
in
the
bill
as
a
15
person
that
is
not
a
licensee
that
contracts
with
a
licensee
16
to
maintain,
process,
store,
or
is
otherwise
permitted
access
17
to
nonpublic
information
through
the
person’s
provision
of
18
services
to
the
licensee.
19
If
a
licensee
discovers
that
a
cybersecurity
event
has
20
occurred,
or
that
a
cybersecurity
event
may
have
occurred,
21
the
licensee,
or
the
outside
vendor
or
provider
the
licensee
22
has
designated
to
act
on
behalf
of
the
licensee,
must
conduct
23
a
prompt
investigation
of
the
event
as
detailed
in
the
bill.
24
If
a
licensee
learns
that
a
cybersecurity
event
has
occurred,
25
or
may
have
occurred,
in
an
information
system
maintained
by
26
a
provider
of
the
licensee,
the
licensee
must
complete
the
27
same
type
of
investigation,
or
confirm
and
document
that
the
28
provider
has
completed
such
an
investigation.
A
licensee
29
must
maintain
all
records
and
documentation
related
to
the
30
licensee’s
investigation
for
a
minimum
of
five
years
from
the
31
date
of
the
cybersecurity
event.
32
A
licensee
is
required
to
notify
the
commissioner
no
later
33
than
three
business
days
from
the
date
of
the
licensee’s
34
confirmation
of
a
cybersecurity
event
if
the
licensee
is
an
35
-22-
LSB
1335HV
(2)
89
ko/rn
22/
24
H.F.
719
insurer
who
is
domiciled
in
this
state,
or
is
a
producer
whose
1
home
state
is
this
state,
and
the
laws
of
this
state
or
federal
2
law
requires
notice
to
a
government
body,
self-regulatory
3
agency,
or
other
supervisory
body.
A
licensee
must
also
4
notify
the
commissioner
if
the
cybersecurity
event
has
a
5
reasonable
likelihood
of
causing
material
harm
to
a
consumer,
6
or
to
a
material
part
of
the
normal
business,
operations,
or
7
security
of
the
licensee;
or
the
licensee
reasonably
believes
8
that
nonpublic
information
compromised
by
the
cybersecurity
9
event
involves
250
or
more
consumers
and
state
or
federal
10
law
requires
notice
to
a
government
body,
self-regulatory
11
agency,
or
other
supervisory
body.
The
licensee
must
provide
12
the
commissioner
with
the
information
specified
in
the
bill
13
and
has
a
continuing
obligation
to
update
and
supplement
the
14
information
as
material
changes
to
the
information
occur.
15
In
the
event
of
a
cybersecurity
event
involving
nonpublic
16
information,
the
licensee
must
notify
consumers
as
detailed
17
in
the
bill.
The
bill
also
details
the
requirements
for
18
cybersecurity
event
notifications
related
to
providers,
19
reinsurers,
and
producers
of
record.
20
The
bill
details
confidentiality
and
privilege
as
applied
21
to
documents,
materials,
or
other
information
furnished
by
a
22
licensee,
or
that
are
obtained
by
the
commissioner
pursuant
to
23
an
investigation
or
examination,
and
that
are
in
the
control
24
or
possession
of
the
commissioner.
The
bill
details
which
25
documents,
materials,
or
other
information
do
not
constitute
26
a
public
record
under
Code
chapter
22;
are
not
subject
to
27
subpoena
and
discovery;
and
are
not
admissible
in
a
private
28
civil
action.
The
bill
also
describes
how
the
documents,
29
materials,
and
other
information
may
be
shared
or
used
by
the
30
commissioner.
31
The
bill
does
not
apply
to
a
licensee
that
is
subject
to,
32
and
in
compliance
with,
the
Health
Insurance
Portability
and
33
Accountability
Act
of
1996
(HIPAA);
or
to
a
licensee
that
34
is
owned
or
controlled
by
a
federally
insured
depository
35
-23-
LSB
1335HV
(2)
89
ko/rn
23/
24
H.F.
719
institution
that
is
subject
to,
and
in
compliance
with,
the
1
Gramm-Leach-Bliley
Act
(GLBA)
or
comparable
federal
law
and
2
corresponding
regulations.
The
licensee
must
submit
an
annual
3
written
certification
to
the
commissioner
of
the
licensee’s
4
compliance
with
HIPAA
or
GLBA.
5
A
licensee
that
violates
the
bill
shall
be
subject
to
6
penalties
pursuant
to
Code
section
505.7A
and
Code
chapter
7
507B.
8
The
commissioner
may
adopt
rules
to
administer
the
bill
9
and
may
take
any
enforcement
action
under
the
commissioner’s
10
authority
to
enforce
compliance
with
the
bill.
11
If
any
provision
of
the
bill,
or
its
application
to
any
12
person
or
circumstance
is
held
invalid,
the
invalidity
does
not
13
affect
other
provisions
or
applications
of
the
bill
which
can
14
be
given
effect
without
the
invalid
provision
or
application.
15
The
bill
takes
effect
January
1,
2022.
16
-24-
LSB
1335HV
(2)
89
ko/rn
24/
24