House File 719 - Introduced HOUSE FILE 719 BY COMMITTEE ON INFORMATION TECHNOLOGY (SUCCESSOR TO HSB 198) A BILL FOR An Act relating to standards for data security, and 1 investigations and notifications of cybersecurity events, 2 for certain licensees under the jurisdiction of the 3 commissioner of insurance, making penalties applicable, and 4 including effective date provisions. 5 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 6 TLSB 1335HV (2) 89 ko/rn

H.F. 719 Section 1. NEW SECTION . 507F.1 Title. 1 This chapter may be cited as the “Insurance Data Security 2 Act” . 3 Sec. 2. NEW SECTION . 507F.2 Purpose and scope. 4 1. Notwithstanding any provision of law to the contrary, 5 this chapter establishes the exclusive state standards for 6 data security, and the investigation and notification of 7 cybersecurity events, applicable to licensees. 8 2. This chapter shall not be construed to create or imply 9 a private cause of action for a violation of its provisions, 10 and shall not be construed to curtail a private cause of action 11 that otherwise exists in the absence of this chapter. 12 Sec. 3. NEW SECTION . 507F.3 Definitions. 13 As used in this chapter, unless the context otherwise 14 requires: 15 1. “Authorized individual” means an individual known to 16 and screened by a licensee and determined to be necessary and 17 appropriate to have access to nonpublic information held by the 18 licensee and the licensee’s information system. 19 2. “Commissioner” means the commissioner of insurance. 20 3. “Consumer” means an individual, including but not limited 21 to an applicant, policyholder, insured, beneficiary, claimant, 22 or certificate holder, who is a resident of this state and 23 whose nonpublic information is in a licensee’s possession, 24 custody, or control. 25 4. “Cybersecurity event” means an event resulting in 26 unauthorized access to, or the disruption or misuse of, an 27 information system or of nonpublic information stored on an 28 information system. “Cybersecurity event” does not include any 29 of the following: 30 a. The unauthorized acquisition of encrypted nonpublic 31 information if the encryption, process, or key is not also 32 acquired, released, or used without authorization. 33 b. An event for which a licensee has determined that the 34 nonpublic information accessed by an unauthorized person has 35 -1- LSB 1335HV (2) 89 ko/rn 1/ 24

H.F. 719 not been used or released, and the nonpublic information has 1 been returned or destroyed. 2 5. “Delivered by electronic means” means delivery to an 3 electronic mail address at which a consumer has consented to 4 receive notices or documents. 5 6. “Encrypted” means the transformation of data into a form 6 that results in a low probability of assigning meaning to the 7 data without the use of a protective process or key. 8 7. “Gramm-Leach-Bliley Act” means the Gramm-Leach-Bliley Act 9 of 1999, 15 U.S.C. §6801 et seq., including amendments thereto 10 and regulations promulgated thereunder. 11 8. “Health Insurance Portability and Accountability 12 Act” or “HIPAA” means the Health Insurance Portability and 13 Accountability Act of 1996, Pub. L. No. 104-191, including 14 amendments thereto and regulations promulgated thereunder. 15 9. “Home state” means the same as defined in section 522B.1. 16 10. “Information security program” means the administrative, 17 technical, and physical safeguards that a licensee uses 18 to access, collect, distribute, process, protect, store, 19 use, transmit, dispose of, or otherwise handle nonpublic 20 information. 21 11. “Information system” means a discrete set of electronic 22 information resources organized for the collection, processing, 23 maintenance, use, sharing, dissemination, or disposition 24 of electronic nonpublic information, and any specialized 25 system such as an industrial or process controls system, a 26 telephone switching and private branch exchange system, or an 27 environmental control system. 28 12. “Insurer” means the same as defined in section 521A.1. 29 13. “Licensee” means a person licensed, authorized to 30 operate, or registered, or a person required to be licensed, 31 authorized to operate, or registered pursuant to the insurance 32 laws of this state. “Licensee” does not include a purchasing 33 group or a risk retention group chartered and licensed in a 34 state other than this state, or a person acting as an assuming 35 -2- LSB 1335HV (2) 89 ko/rn 2/ 24

H.F. 719 insurer that is domiciled in another state or jurisdiction. 1 14. “Multi-factor authentication” means authentication 2 through verification of at least two of the following types of 3 authentication factors: 4 a. A knowledge factor, such as a password. 5 b. A possession factor, such as a token or text message on a 6 mobile phone. 7 c. An inherence factor, such as a biometric characteristic. 8 15. “Nonpublic information” means electronic information 9 that is not publicly available information and that is any of 10 the following: 11 a. Business-related information of a licensee the tampering 12 of which, or unauthorized disclosure, access, or use of 13 which, will cause a material adverse impact to the business, 14 operations, or security of the licensee. 15 b. Information concerning a consumer which can be used to 16 identify the consumer due to a name, number, personal mark, or 17 other identifier, used in combination with any one or more of 18 the following data elements: 19 (1) A social security number. 20 (2) A driver’s license number or a nondriver identification 21 card number. 22 (3) A financial account number, a credit card number, or a 23 debit card number. 24 (4) A security code, an access code, or a password that will 25 permit access to a consumer’s financial accounts. 26 (5) A biometric record. 27 c. Information or data, except age or gender, in any form or 28 medium created by or derived from a health care provider or a 29 consumer, and that relates to any of the following: 30 (1) The past, present, or future physical, mental or 31 behavioral health or condition of a consumer, or a member of 32 the consumer’s family. 33 (2) The provision of health care services to a consumer. 34 (3) Payment for the provision of health care services to a 35 -3- LSB 1335HV (2) 89 ko/rn 3/ 24

H.F. 719 consumer. 1 16. “Person” means an individual or a nongovernmental 2 entity, including but not limited to a nongovernmental 3 partnership, corporation, branch, agency, or association. 4 17. “Publicly available information” means information 5 that a licensee has a reasonable basis to believe is lawfully 6 made available to the general public from federal, state, or 7 local government records, by widely distributed media, or by 8 disclosure to the general public as required by federal, state, 9 or local law. For purposes of this definition, a licensee has 10 a reasonable basis to believe that information is lawfully made 11 available to the general public if the licensee has determined 12 all of the following: 13 a. That the information is of a type that is available to 14 the general public. 15 b. That if a consumer may direct that the information not 16 be made available to the general public, that the consumer has 17 not directed that the information not be made available to the 18 general public. 19 18. “Risk assessment” means the assessment that a licensee 20 is required to conduct pursuant to section 507F.4, subsection 21 3. 22 19. “Third-party service provider” means a person that is 23 not a licensee that contracts with a licensee to maintain, 24 process, store, or is otherwise permitted access to nonpublic 25 information through the person’s provision of services to the 26 licensee. 27 Sec. 4. NEW SECTION . 507F.4 Information security program. 28 1. a. Commensurate with the size and complexity of a 29 licensee, the nature and scope of a licensee’s activities 30 including the licensee’s use of third-party service providers, 31 and the sensitivity of nonpublic information used by the 32 licensee or that is in the licensee’s possession, custody, or 33 control, the licensee shall develop, implement, and maintain a 34 comprehensive written information security program based on the 35 -4- LSB 1335HV (2) 89 ko/rn 4/ 24

H.F. 719 licensee’s risk assessment conducted pursuant to subsection 3. 1 b. This section shall not apply to any of the following: 2 (1) A licensee that meets any of the following criteria: 3 (a) Has fewer than twenty individuals on its workforce, 4 including employees and independent contractors. 5 (b) Has less than five million dollars in gross annual 6 revenue. 7 (c) Has less than ten million dollars in year-end total 8 assets. 9 (2) An employee, agent, representative, or designee of a 10 licensee, and the employee, agent, representative, or designee 11 is also a licensee, if the employee, agent, representative, or 12 designee is covered by the information security program of the 13 other licensee. 14 c. A licensee shall have one hundred eighty calendar days 15 from the date the licensee no longer qualifies for exemption 16 under paragraph “b” to comply with this section. 17 2. A licensee’s information security program must be 18 designed to do all of the following: 19 a. Protect the security and confidentiality of nonpublic 20 information and the security of the licensee’s information 21 system. 22 b. Protect against threats or hazards to the security 23 or integrity of nonpublic information and the licensee’s 24 information system. 25 c. Protect against unauthorized access to or the use of 26 nonpublic information, and minimize the likelihood of harm to 27 any consumer. 28 d. Define and periodically reevaluate a schedule for 29 retention of nonpublic information and a mechanism for the 30 destruction of nonpublic information if retention is no longer 31 necessary for the licensee’s business operations, or is no 32 longer required by applicable law. 33 3. A licensee shall conduct a risk assessment that 34 accomplishes all of the following: 35 -5- LSB 1335HV (2) 89 ko/rn 5/ 24

H.F. 719 a. Designates one or more employees, an affiliate, or an 1 outside vendor to act on behalf of the licensee and that has 2 responsibility for the information security program. 3 b. Identifies reasonably foreseeable internal or external 4 threats that may result in unauthorized access, transmission, 5 disclosure, misuse, alteration, or destruction of nonpublic 6 information, including nonpublic information that is accessible 7 to, or held by, a third-party service provider. 8 c. Assesses the probability of, and the potential damage 9 caused by, the threats identified in paragraph “b” , taking into 10 consideration the sensitivity of nonpublic information. 11 d. Assesses the sufficiency of policies, procedures, 12 information systems, and other safeguards in place to manage 13 the threats identified in paragraph “b” . This assessment must 14 include consideration of threats identified in each relevant 15 area of the licensee’s operations, including all of the 16 following: 17 (1) Employee training and management. 18 (2) Information systems, including network and software 19 design; and information classification, governance, processing, 20 storage, transmission, and disposal. 21 (3) Detection, prevention, and response to an attack, 22 intrusion, or other system failure. 23 e. Implements information safeguards to manage threats 24 identified in the licensee’s ongoing risk assessments and, at 25 least annually, assesses the effectiveness of the information 26 safeguards’ key controls, systems, and procedures. 27 4. Based on the risk assessment conducted pursuant to 28 subsection 3, a licensee shall do all of the following: 29 a. Develop, implement, and maintain an information security 30 program as described in subsections 1 and 2. 31 b. Determine which of the following security measures are 32 appropriate and implement each appropriate security measure: 33 (1) Place access controls on information systems, including 34 controls to authenticate and permit access only to authorized 35 -6- LSB 1335HV (2) 89 ko/rn 6/ 24

H.F. 719 individuals to protect against the unauthorized acquisition of 1 nonpublic information. 2 (2) Identify and manage the data, personnel, devices, 3 systems, and facilities that enable the licensee to achieve 4 its business purposes in accordance with the data, personnel, 5 devices, systems, and facilities relative importance to the 6 licensee’s business objectives and risk strategy. 7 (3) Restrict access of nonpublic information stored in or at 8 physical locations to authorized individuals only. 9 (4) Protect by encryption or other appropriate means, 10 all nonpublic information while the nonpublic information 11 is transmitted over an external network, and all nonpublic 12 information that is stored on a laptop computer, a portable 13 computing or storage device, or portable computing or storage 14 media. 15 (5) Adopt secure development practices for in-house 16 developed applications utilized by the licensee, and procedures 17 for evaluating, assessing, and testing the security of 18 externally developed applications utilized by the licensee. 19 (6) Modify information systems in accordance with the 20 licensee’s information security program. 21 (7) Utilize effective controls, which may include 22 multi-factor authentication procedures for authorized 23 individuals accessing nonpublic information. 24 (8) Regularly test and monitor systems and procedures to 25 detect actual and attempted attacks on, or intrusions into, 26 information systems. 27 (9) Include audit trails within the information security 28 program designed to detect and respond to cybersecurity events, 29 and designed to reconstruct material financial transactions 30 sufficient to support the normal business operations and 31 obligations of the licensee. 32 (10) Implement measures to protect against the destruction, 33 loss, or damage of nonpublic information due to environmental 34 hazards, natural disasters, catastrophes, or technological 35 -7- LSB 1335HV (2) 89 ko/rn 7/ 24

H.F. 719 failures. 1 (11) Develop, implement, and maintain procedures for the 2 secure disposal of nonpublic information that is contained in 3 any format. 4 c. Include cybersecurity risks in the licensee’s 5 enterprise-wide risk management process. 6 d. Maintain knowledge and understanding of emerging threats 7 or vulnerabilities and utilize reasonable security measures, 8 relative to the character of the sharing and the type of 9 information being shared, when sharing information. 10 e. Provide the licensee’s personnel with cybersecurity 11 awareness training that is updated as necessary to reflect 12 risks identified by the licensee’s risk assessment. 13 5. a. If a licensee has a board of directors, the board 14 or an appropriate committee of the board shall at a minimum 15 require the licensee’s executive management or the executive 16 management’s delegates to: 17 (1) Develop, implement, and maintain the licensee’s 18 information security program. 19 (2) Provide a written report to the board, at least 20 annually, that documents all of the following: 21 (a) The overall status of the licensee’s information 22 security program and the licensee’s compliance with this 23 chapter. 24 (b) Material matters related to the licensee’s information 25 security program including issues such as risk assessment; risk 26 management and control decisions; third-party service provider 27 arrangements; results of testing, cybersecurity events, or 28 violations; management’s response to cybersecurity events or 29 violations; and recommendations for changes in the licensee’s 30 information security program. 31 b. If a licensee’s executive management delegates any of its 32 responsibilities under this section the executive management 33 shall oversee the delegate’s development, implementation, and 34 maintenance of the licensee’s information security program, and 35 -8- LSB 1335HV (2) 89 ko/rn 8/ 24

H.F. 719 shall require the delegate to submit an annual written report 1 to executive management that contains the information required 2 under paragraph “a” , subparagraph (2). If the licensee has a 3 board of directors, the executive management shall provide a 4 copy of the report to the board. 5 6. A licensee shall monitor, evaluate, and adjust the 6 licensee’s information security program consistent with 7 relevant changes in technology, the sensitivity of the 8 licensee’s nonpublic information, changes to the licensee’s 9 information systems, internal or external threats to the 10 licensee’s nonpublic information, and the licensee’s changing 11 business arrangements, including but not limited to mergers and 12 acquisitions, alliances and joint ventures, and outsourcing 13 arrangements. 14 7. As part of a licensee’s information security program, 15 a licensee shall establish a written incident response 16 plan designed to promptly respond to, and recover from, a 17 cybersecurity event that compromises the confidentiality, 18 integrity, or availability of nonpublic information in the 19 licensee’s possession, the licensee’s information systems, or 20 the continuing functionality of any aspect of the licensee’s 21 operations. The written incident response plan must address 22 all of the following: 23 a. The licensee’s internal process for responding to a 24 cybersecurity event. 25 b. The goals of the licensee’s incident response plan. 26 c. The assignment of clear roles, responsibilities, 27 and levels of decision-making authority for the licensee’s 28 personnel that participate in the incident response plan. 29 d. External communications, internal communications, and 30 information sharing related to a cybersecurity event. 31 e. The identification of remediation requirements for 32 weaknesses identified in information systems and associated 33 controls. 34 f. Documentation and reporting regarding cybersecurity 35 -9- LSB 1335HV (2) 89 ko/rn 9/ 24

H.F. 719 events and related incident response activities. 1 g. The evaluation and revision of the incident response 2 plan, as appropriate, following a cybersecurity event. 3 8. An insurer domiciled in this state shall annually 4 submit to the commissioner on or before April 15 a written 5 certification that the insurer is in compliance with this 6 section. Each insurer shall maintain all records, schedules, 7 documentation, and data supporting the insurer’s certification 8 for five years. To the extent an insurer has identified an 9 area, system, or process that requires material improvement, 10 updating, or redesign, the insurer shall document the process 11 used to identify the area, system, or process, and the 12 remediation that has been implemented, or will be implemented, 13 to address the area, system, or process. All records, 14 schedules, documentation, and data described in this subsection 15 shall be made available for inspection by the commissioner, 16 or the commissioner’s representative, upon request of the 17 commissioner. 18 9. Licensees shall comply with this section no later than 19 January 1, 2023. 20 Sec. 5. NEW SECTION . 507F.5 Third-party service provider 21 arrangements. 22 1. A licensee shall exercise due diligence in the selection 23 of third-party service providers, conduct oversight of 24 all third-party service provider arrangements, and require 25 all third-party service providers to implement appropriate 26 administrative, technical, and physical measures to protect 27 and secure the information systems and nonpublic information 28 that are accessible to, or held by, the licensee’s third-party 29 service providers. 30 2. Licensees shall comply with this section no later than 31 January 1, 2024. 32 Sec. 6. NEW SECTION . 507F.6 Cybersecurity event —— 33 investigation. 34 1. If a licensee discovers that a cybersecurity event has 35 -10- LSB 1335HV (2) 89 ko/rn 10/ 24

H.F. 719 occurred, or that a cybersecurity event may have occurred, the 1 licensee, or the outside vendor or third-party service provider 2 the licensee has designated to act on behalf of the licensee, 3 shall conduct a prompt investigation of the event. 4 2. During the investigation, the licensee, outside vendor, 5 or third-party service provider the licensee has designated to 6 act on behalf of the licensee, shall, at a minimum, determine 7 as much of the following as possible: 8 a. Confirm that a cybersecurity event has occurred. 9 b. Assess the nature and scope of the cybersecurity event. 10 c. Identify all nonpublic information that may have been 11 compromised by the cybersecurity event. 12 d. Perform or oversee reasonable measures to restore the 13 security of any compromised information systems in order to 14 prevent further unauthorized acquisition, release, or use of 15 nonpublic information that is in the licensee’s possession, 16 custody, or control. 17 3. If a licensee learns that a cybersecurity event has 18 occurred, or may have occurred, in an information system 19 maintained by a third-party service provider of the licensee, 20 the licensee shall complete an investigation in compliance with 21 this section, or confirm and document that the third-party 22 service provider has completed an investigation in compliance 23 with this section. 24 4. A licensee shall maintain all records and documentation 25 related to the licensee’s investigation of a cybersecurity 26 event for a minimum of five years from the date of the event, 27 and shall produce the records and documentation upon demand of 28 the commissioner. 29 Sec. 7. NEW SECTION . 507F.7 Cybersecurity event —— 30 notification and report to the commissioner. 31 1. A licensee shall notify the commissioner no later 32 than three business days from the date of the licensee’s 33 confirmation of a cybersecurity event if any of the following 34 conditions apply: 35 -11- LSB 1335HV (2) 89 ko/rn 11/ 24

H.F. 719 a. The licensee is an insurer who is domiciled in this 1 state, or is a producer whose home state is this state, and any 2 of the following apply: 3 (1) The laws of this state or federal law requires that 4 notice of the cybersecurity event be given by the licensee to a 5 government body, self-regulatory agency, or other supervisory 6 body. 7 (2) The cybersecurity event has a reasonable likelihood 8 of causing material harm to a material part of the normal 9 business, operations, or security of the licensee. 10 b. The licensee reasonably believes that nonpublic 11 information compromised by the cybersecurity event involves two 12 hundred fifty or more consumers and either of the following 13 apply: 14 (1) State or federal law requires that notice of the 15 cybersecurity event be given by the licensee to a government 16 body, self-regulatory agency, or other supervisory body. 17 (2) The cybersecurity event has a reasonable likelihood of 18 causing material harm to a consumer, or to a material part of 19 the normal business, operations, or security of the licensee. 20 2. A licensee’s notification to the commissioner pursuant 21 to subsection 1 shall provide, in the form and manner 22 prescribed by the commissioner by rule, as much of the 23 following information as is available to the licensee at the 24 time of the notification: 25 a. The date and time of the cybersecurity event. 26 b. A description of how nonpublic information was exposed, 27 lost, stolen, or breached, including the specific roles 28 and responsibilities of the licensee’s third-party service 29 providers, if any. 30 c. How the licensee discovered or became aware of the 31 cybersecurity event. 32 d. If any lost, stolen, or breached nonpublic information 33 has been recovered and if so, how the recovery occurred. 34 e. The identity of the source of the cybersecurity event. 35 -12- LSB 1335HV (2) 89 ko/rn 12/ 24

H.F. 719 f. The identity of any regulatory, governmental, or law 1 enforcement agencies the licensee has notified, and the date 2 and time of each notification. 3 g. A description of the specific types of nonpublic 4 information that were lost, stolen, or breached. 5 h. The total number of consumers affected by the 6 cybersecurity event. The licensee shall provide the best 7 estimate of affected consumers in the licensee’s initial report 8 to the commissioner and shall update the estimate in each 9 subsequent report to the commissioner under subsection 3. 10 i. The results of any internal review conducted by the 11 licensee that identified a lapse in the licensee’s automated 12 controls or internal procedures, or that confirmed the 13 licensee’s compliance with all automated controls or internal 14 procedures. 15 j. A description of the licensee’s efforts to remediate the 16 circumstances that allowed the cybersecurity event. 17 k. A copy of the licensee’s privacy policy. 18 l. A statement outlining the steps the licensee is taking 19 to identify and notify consumers affected by the cybersecurity 20 event. 21 m. The contact information for the individual authorized 22 to act on behalf of the licensee and who is also knowledgeable 23 regarding the cybersecurity event. 24 3. A licensee shall have a continuing obligation to update 25 and supplement the licensee’s initial notification to the 26 commissioner as material changes to information previously 27 provided to the commissioner occur. 28 Sec. 8. NEW SECTION . 507F.8 Cybersecurity event —— 29 notification to consumers. 30 1. In the event of a cybersecurity event involving nonpublic 31 information a licensee shall comply with the notification 32 requirements pursuant to section 715C.2, and all other 33 applicable notification requirements pursuant to federal or 34 state law. 35 -13- LSB 1335HV (2) 89 ko/rn 13/ 24

H.F. 719 2. If a licensee is required to provide notice of a 1 cybersecurity event to the commissioner pursuant to section 2 507F.7, subsection 1, the licensee shall submit to the 3 commissioner a copy of the consumer notices provided by the 4 licensee to consumers under this section. 5 Sec. 9. NEW SECTION . 507F.9 Cybersecurity event —— 6 third-party service providers. 7 1. If a licensee becomes aware of a cybersecurity 8 event in an information system maintained by a third-party 9 service provider of the licensee, the licensee shall comply 10 with section 507F.7, or the licensee may obtain a written 11 certification from the third-party service provider that 12 the provider is in compliance with section 507F.7. If the 13 third-party provider fails to provide written certification to 14 the licensee, the licensee shall comply with section 507F.7. 15 The computation of the licensee’s deadlines pursuant to section 16 507F.7 shall begin on the business day after the date on 17 which the licensee’s third-party service provider notifies 18 the licensee of a cybersecurity event, or the date on which 19 the licensee has actual knowledge of the cybersecurity event, 20 whichever date is earlier. 21 2. This section shall not be construed to prohibit or 22 abrogate an agreement between a licensee and another licensee, 23 a third-party service provider, or any other party for the 24 other licensee, third-party service provider, or other party to 25 execute the requirements under section 507F.6 or section 507F.7 26 on behalf of the licensee. 27 Sec. 10. NEW SECTION . 507F.10 Cybersecurity event 28 reinsurers. 29 1. If a cybersecurity event involves nonpublic information 30 used by, or that is in the possession, custody, or control 31 of, a licensee that is acting as an assuming insurer and that 32 does not have a direct contractual relationship with consumers 33 affected by the cybersecurity event, the assuming insurer 34 shall notify each of the assuming insurer’s affected ceding 35 -14- LSB 1335HV (2) 89 ko/rn 14/ 24

H.F. 719 insurers and the commissioner of the assuming insurer’s state 1 of domicile within three business days of determining that a 2 cybersecurity event has occurred. A ceding insurer that has a 3 direct contractual relationship with a consumer affected by the 4 cybersecurity event shall comply with the applicable provisions 5 of section 715C.2, and all other applicable notification 6 requirements pursuant to federal or state law. 7 2. If a cybersecurity event involves nonpublic information 8 that is in the possession, custody, or control of a third-party 9 service provider of a licensee that is acting as an assuming 10 insurer, the assuming insurer shall notify each of the assuming 11 insurer’s affected ceding insurers and the commissioner of the 12 assuming insurer’s state of domicile within three business 13 days of the date the assuming insurer receives notice from 14 the assuming insurer’s third-party service provider that 15 a cybersecurity event involving nonpublic information has 16 occurred. A ceding insurer that has a direct contractual 17 relationship with a consumer affected by the cybersecurity 18 event shall comply with the applicable provisions of section 19 715C.2, and all other applicable notification requirements 20 pursuant to federal or state law. 21 3. Notwithstanding any law to the contrary, a licensee 22 acting as an assuming insurer shall have no other notice 23 obligations related to a cybersecurity event or other data 24 breach than the notice requirements pursuant to subsections 1 25 and 2. 26 Sec. 11. NEW SECTION . 507F.11 Cybersecurity event —— 27 producers of record. 28 If a cybersecurity event involves nonpublic information 29 that is in the possession, custody, or control of a licensee 30 that is an insurer, or in the possession, custody, or control 31 of the insurer’s third-party service provider, and for 32 which a consumer accessed the insurer’s services through an 33 independent insurance producer, the insurer shall notify the 34 insurance producer of record of each consumer affected by the 35 -15- LSB 1335HV (2) 89 ko/rn 15/ 24

H.F. 719 cybersecurity event no later than the date on which notice is 1 provided to affected consumers pursuant to section 507F.7. An 2 insurer shall not be required to notify an insurance producer 3 that is not authorized by law or contract to sell, solicit, or 4 negotiate on behalf of the insurer, or in a circumstance in 5 which the insurer does not have current contact information for 6 the producer of record for a specific affected consumer. 7 Sec. 12. NEW SECTION . 507F.12 Confidentiality. 8 1. Documents, materials, and other information in the 9 control or possession of the commissioner that are furnished 10 by a licensee, or by an employee or agent of the licensee 11 acting on behalf of the licensee, or that are obtained by 12 the commissioner in an investigation or examination, shall 13 be confidential by law and privileged, shall not constitute 14 a public record under chapter 22, shall not be subject to 15 subpoena or discovery, and shall not be admissible as evidence 16 in a private civil action. The commissioner, however, shall 17 be authorized to use the documents, materials, and other 18 information in the furtherance of a regulatory or legal action 19 brought as part of the commissioner’s official duties. The 20 commissioner shall not otherwise make the documents, materials, 21 and other information public without the prior written consent 22 of the licensee. 23 2. The commissioner, or an individual who receives 24 documents, materials, or other information under the authority 25 of the commissioner, shall not be permitted or required to 26 testify in a private civil action concerning any documents, 27 materials, or other information subject to subsection 1. 28 3. In order to assist in the performance of the 29 commissioner’s duties under this chapter, the commissioner may: 30 a. Share documents, materials, and other information, 31 including documents, materials, and other information subject 32 to subsection 1, with state, federal, and international 33 regulatory agencies; the national association of insurance 34 commissioners, its affiliates and subsidiaries; and with 35 -16- LSB 1335HV (2) 89 ko/rn 16/ 24

H.F. 719 state, federal, and international law enforcement authorities, 1 provided that the recipient certifies in writing that the 2 recipient will maintain the confidentiality or privileged 3 status of any documents, materials, or other information to 4 which confidentiality or privileged status applies. 5 b. Receive documents, materials, and other information, 6 including confidential and privileged documents, materials, 7 and other information from the national association of 8 insurance commissioners, its affiliates and subsidiaries; 9 and regulatory and law enforcement officials of foreign and 10 domestic jurisdictions. The commissioner shall maintain as 11 confidential or privileged any document, material, or other 12 information received by the commissioner that is confidential 13 or privileged, or that is received with notice or the 14 understanding that it is confidential or privileged, under the 15 laws of the jurisdiction that is the source of the document, 16 material, or other information. 17 c. Share documents, materials, or other information subject 18 to subsection 1 with a third-party consultant or vendor 19 provided that the third-party consultant or vendor certifies 20 in writing that the consultant or vendor will maintain the 21 confidentiality and privileged status of the document, 22 material, or other information. 23 d. Enter into an agreement governing the sharing and use of 24 documents, materials, or other information that is consistent 25 with this subsection. 26 4. No waiver of an applicable privilege or claim of 27 confidentiality in a document, material, or other information 28 shall occur as a result of disclosure of the document, 29 material, or other information to the commissioner under 30 this chapter, or as a result of the sharing of the document, 31 material, or other information as authorized under this 32 section. 33 5. This chapter shall not prohibit the commissioner from 34 releasing final, adjudicated actions that are open to public 35 -17- LSB 1335HV (2) 89 ko/rn 17/ 24

H.F. 719 inspection pursuant to chapter 22, to a database or other 1 clearinghouse service maintained by the national association of 2 insurance commissioners, or its affiliates and subsidiaries. 3 6. Documents, materials, and other information received 4 by the commissioner under this chapter and shared pursuant to 5 subsection 3, shall be confidential by law and privileged, 6 shall not constitute a public record under chapter 22, shall 7 not be subject to subpoena or discovery, and shall not be 8 admissible as evidence in a private civil action. 9 7. Ownership of documents, materials, and other information 10 shared under this chapter with the national association of 11 insurance commissioners, its affiliates and subsidiaries, 12 or a third-party consultant or vendor, remains with the 13 commissioner, and use of the documents, materials, and 14 other information by the national association of insurance 15 commissioners, its affiliates and subsidiaries, or a 16 third-party consultant or vendor is subject to the direction of 17 the commissioner. 18 Sec. 13. NEW SECTION . 507F.13 Applicability. 19 1. This chapter shall not apply to a licensee that is 20 subject to, and in compliance with, the Health Insurance 21 Portability and Accountability Act. The licensee shall 22 annually submit to the commissioner a written certification of 23 the licensee’s compliance with HIPAA. 24 2. This chapter shall not apply to a licensee that 25 is owned or controlled by a federally insured depository 26 institution that is subject to, and in compliance with, 27 the Gramm-Leach-Bliley Act or comparable federal law and 28 corresponding regulations. 29 3. A licensee shall have one hundred eighty days from the 30 date the licensee no longer qualifies for exemption under 31 subsection 1 or 2 to comply with this chapter. 32 Sec. 14. NEW SECTION . 507F.14 Penalties. 33 A licensee that violates this chapter shall be subject to 34 penalties pursuant to section 505.7A and chapter 507B. 35 -18- LSB 1335HV (2) 89 ko/rn 18/ 24

H.F. 719 Sec. 15. NEW SECTION . 507F.15 Rules and enforcement. 1 1. The commissioner may adopt rules pursuant to chapter 17A 2 as necessary to administer this chapter. 3 2. The commissioner may take any enforcement action under 4 the commissioner’s authority to enforce compliance with this 5 chapter. 6 Sec. 16. NEW SECTION . 507F.16 Severability. 7 If any provision of this chapter or its application to any 8 person or circumstance is held invalid, the invalidity shall 9 not affect other provisions or applications of this chapter 10 which can be given effect without the invalid provision or 11 application, and to this end the provisions of this chapter are 12 severable. 13 Sec. 17. EFFECTIVE DATE. This Act takes effect January 1, 14 2022. 15 EXPLANATION 16 The inclusion of this explanation does not constitute agreement with 17 the explanation’s substance by the members of the general assembly. 18 This bill relates to the exclusive state standards for data 19 security, and investigations and notifications of cybersecurity 20 events, for certain licensees under the jurisdiction of the 21 commissioner of insurance. The bill is based on the national 22 association of insurance commissioners’ (NAIC) insurance data 23 security model law. 24 “Licensee” is defined in the bill as a person licensed, 25 authorized to operate, or registered, or required to be 26 licensed, authorized to operate, or registered pursuant to the 27 insurance laws of this state. “Licensee” does not include 28 a purchasing group or a risk retention group chartered and 29 licensed in a state other than this state, or a person acting 30 as an assuming insurer that is domiciled in another state or 31 jurisdiction. The bill does not create or imply a private 32 cause of action for a violation of its provisions, and does not 33 curtail a private cause of action that would otherwise exist in 34 the absence of the bill. 35 -19- LSB 1335HV (2) 89 ko/rn 19/ 24

H.F. 719 The bill requires licensees to develop, implement, and 1 maintain a comprehensive written information security program 2 (program) based on the licensee’s risk assessment (assessment) 3 conducted pursuant to the bill. Licensees must comply with 4 the program requirements no later than January 1, 2023. The 5 program must safeguard the licensee’s nonpublic information 6 and information system. “Information system” is defined in 7 the bill as a discrete set of electronic information resources 8 organized for the collection, processing, maintenance, use, 9 sharing, dissemination, or disposition of electronic nonpublic 10 information, and any specialized system such as an industrial 11 or process controls system, a telephone switching and private 12 branch exchange system, or an environmental control system. 13 “Nonpublic information” is also defined in the bill. Certain 14 licensees and other persons are exempt from the program 15 requirement as detailed in the bill. The bill requires a 16 licensee’s program to protect the security and confidentiality 17 of nonpublic information and the security of the information 18 system, to protect against threats or hazards to the security 19 or integrity of nonpublic information and the information 20 system, to protect against unauthorized access to or the use of 21 nonpublic information, to minimize the likelihood of harm to 22 consumers, and to define and periodically reevaluate a schedule 23 for the retention and destruction of nonpublic information. 24 A licensee’s assessment must designate one or more 25 employees, an affiliate, or an outside vendor to act on 26 behalf of the licensee and to have responsibility for the 27 program; identify reasonably foreseeable internal or external 28 threats that may result in unauthorized access, transmission, 29 disclosure, misuse, alteration, or destruction of nonpublic 30 information, including nonpublic information that is accessible 31 to, or held by, a third-party service provider; assess the 32 probability of and the potential damage caused by identified 33 threats; and assess the sufficiency of policies, procedures, 34 information systems, and other safeguards in place to manage 35 -20- LSB 1335HV (2) 89 ko/rn 20/ 24