Senate Study Bill 1190 - Introduced SENATE/HOUSE FILE _____ BY (PROPOSED DEPARTMENT OF COMMERCE/INSURANCE DIVISION BILL) A BILL FOR An Act relating to standards for data security, and 1 investigations and notifications of cybersecurity events, 2 for certain licensees under the jurisdiction of the 3 commissioner of insurance, making penalties applicable, and 4 including effective date provisions. 5 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 6 TLSB 1335XD (6) 89 ko/rn

S.F. _____ H.F. _____ Section 1. NEW SECTION . 507F.1 Title. 1 This chapter may be cited as the “Insurance Data Security 2 Act” . 3 Sec. 2. NEW SECTION . 507F.2 Purpose and scope. 4 1. Notwithstanding any provision of law to the contrary, 5 this chapter establishes the exclusive state standards for 6 data security, and the investigation and notification of 7 cybersecurity events, applicable to licensees. 8 2. This chapter shall not be construed to create or imply 9 a private cause of action for a violation of its provisions, 10 and shall not be construed to curtail a private cause of action 11 that otherwise exists in the absence of this chapter. 12 Sec. 3. NEW SECTION . 507F.3 Definitions. 13 As used in this chapter, unless the context otherwise 14 requires: 15 1. “Authorized individual” means an individual known to 16 and screened by a licensee and determined to be necessary and 17 appropriate to have access to nonpublic information held by the 18 licensee and the licensee’s information system. 19 2. “Commissioner” means the commissioner of insurance. 20 3. “Consumer” means an individual, including but not limited 21 to an applicant, policyholder, insured, beneficiary, claimant, 22 or certificate holder, who is a resident of this state and 23 whose nonpublic information is in a licensee’s possession, 24 custody, or control. 25 4. “Cybersecurity event” means an event resulting in 26 unauthorized access to, or the disruption or misuse of, an 27 information system or of nonpublic information stored on an 28 information system. “Cybersecurity event” does not include any 29 of the following: 30 a. The unauthorized acquisition of encrypted nonpublic 31 information if the encryption, process, or key is not also 32 acquired, released, or used without authorization. 33 b. An event for which a licensee has determined that the 34 nonpublic information accessed by an unauthorized person has 35 -1- LSB 1335XD (6) 89 ko/rn 1/ 26

S.F. _____ H.F. _____ not been used or released, and the nonpublic information has 1 been returned or destroyed. 2 5. “Delivered by electronic means” means delivery to an 3 electronic mail address at which a consumer has consented to 4 receive notices or documents. 5 6. “Encrypted” means the transformation of data into a form 6 that results in a low probability of assigning meaning to the 7 data without the use of a protective process or key. 8 7. “Health Insurance Portability and Accountability 9 Act” or “HIPAA” means the Health Insurance Portability and 10 Accountability Act of 1996, Pub. L. No. 104-191, including 11 amendments thereto and regulations promulgated thereunder. 12 8. “Home state” means the same as defined in section 522B.1. 13 9. “Information security program” means the administrative, 14 technical, and physical safeguards that a licensee uses 15 to access, collect, distribute, process, protect, store, 16 use, transmit, dispose of, or otherwise handle nonpublic 17 information. 18 10. “Information system” means a discrete set of electronic 19 information resources organized for the collection, processing, 20 maintenance, use, sharing, dissemination, or disposition of 21 electronic information, and any specialized system such as an 22 industrial or process controls system, a telephone switching 23 and private branch exchange system, or an environmental control 24 system. 25 11. “Insurer” means the same as defined in section 521A.1. 26 12. “Licensee” means a person licensed, authorized to 27 operate, or registered, or a person required to be licensed, 28 authorized to operate, or registered pursuant to the insurance 29 laws of this state. “Licensee” does not include a purchasing 30 group or a risk retention group chartered and licensed in a 31 state other than this state, or a person acting as an assuming 32 insurer that is domiciled in another state or jurisdiction. 33 13. “Multi-factor authentication” means authentication 34 through verification of at least two of the following types of 35 -2- LSB 1335XD (6) 89 ko/rn 2/ 26

S.F. _____ H.F. _____ authentication factors: 1 a. A knowledge factor, such as a password. 2 b. A possession factor, such as a token or text message on a 3 mobile phone. 4 c. An inherence factor, such as a biometric characteristic. 5 14. “Nonpublic information” means electronic information 6 that is not publicly available information and that is any of 7 the following: 8 a. Business-related information of a licensee the tampering 9 of which, or unauthorized disclosure, access, or use of 10 which, will cause a material adverse impact to the business, 11 operations, or security of the licensee. 12 b. Information concerning a consumer which can be used to 13 identify the consumer due to a name, number, personal mark, or 14 other identifier, used in combination with any one or more of 15 the following data elements: 16 (1) A social security number. 17 (2) A driver’s license number or a nondriver identification 18 card number. 19 (3) A financial account number, a credit card number, or a 20 debit card number. 21 (4) A security code, an access code, or a password that will 22 permit access to a consumer’s financial accounts. 23 (5) A biometric record. 24 c. Information or data, except age or gender, in any form or 25 medium created by or derived from a health care provider or a 26 consumer, and that relates to any of the following: 27 (1) The past, present, or future physical, mental or 28 behavioral health or condition of a consumer, or a member of 29 the consumer’s family. 30 (2) The provision of health care services to a consumer. 31 (3) Payment for the provision of health care services to a 32 consumer. 33 15. “Person” means an individual or a nongovernmental 34 entity, including but not limited to a nongovernmental 35 -3- LSB 1335XD (6) 89 ko/rn 3/ 26

S.F. _____ H.F. _____ partnership, corporation, branch, agency, or association. 1 16. “Publicly available information” means information 2 that a licensee has a reasonable basis to believe is lawfully 3 made available to the general public from federal, state, or 4 local government records, by widely distributed media, or by 5 disclosure to the general public as required by federal, state, 6 or local law. For purposes of this definition, a licensee has 7 a reasonable basis to believe that information is lawfully made 8 available to the general public if the licensee has determined 9 all of the following: 10 a. That the information is of a type that is available to 11 the general public. 12 b. That if a consumer may direct that the information not 13 be made available to the general public, that the consumer has 14 not directed that the information not be made available to the 15 general public. 16 17. “Risk assessment” means the assessment that a licensee 17 is required to conduct pursuant to section 507F.4, subsection 18 3. 19 18. “Third-party service provider” means a person that is 20 not a licensee that contracts with a licensee to maintain, 21 process, store, or is otherwise permitted access to nonpublic 22 information through the person’s provision of services to the 23 licensee. 24 Sec. 4. NEW SECTION . 507F.4 Information security program. 25 1. a. Commensurate with the size and complexity of a 26 licensee, the nature and scope of a licensee’s activities 27 including the licensee’s use of third-party service providers, 28 and the sensitivity of nonpublic information used by the 29 licensee or that is in the licensee’s possession, custody, or 30 control, the licensee shall develop, implement, and maintain a 31 comprehensive written information security program based on the 32 licensee’s risk assessment conducted pursuant to subsection 3. 33 b. This section shall not apply to any of the following: 34 (1) A licensee that meets any of the following criteria: 35 -4- LSB 1335XD (6) 89 ko/rn 4/ 26

S.F. _____ H.F. _____ (a) Has fewer than ten individuals on its workforce, 1 including employees and independent contractors. 2 (b) Has less than five million dollars in gross annual 3 revenue. 4 (c) Has less than ten million dollars in year-end total 5 assets. 6 (2) An employee, agent, representative, or designee of a 7 licensee, and the employee, agent, representative, or designee 8 is also a licensee, if the employee, agent, representative, or 9 designee is covered by the information security program of the 10 other licensee. 11 c. A licensee shall have one hundred eighty calendar days 12 from the date the licensee no longer qualifies for exemption 13 under paragraph “b” to comply with this section. 14 2. A licensee’s information security program must be 15 designed to do all of the following: 16 a. Protect the security and confidentiality of nonpublic 17 information and the security of the licensee’s information 18 system. 19 b. Protect against threats or hazards to the security 20 or integrity of nonpublic information and the licensee’s 21 information system. 22 c. Protect against unauthorized access to or the use of 23 nonpublic information, and minimize the likelihood of harm to 24 any consumer. 25 d. Define and periodically reevaluate a schedule for 26 retention of nonpublic information and a mechanism for the 27 destruction of nonpublic information if retention is no longer 28 necessary for the licensee’s business operations, or is no 29 longer required by applicable law. 30 3. A licensee shall conduct a risk assessment that 31 accomplishes all of the following: 32 a. Designates one or more employees, an affiliate, or an 33 outside vendor to act on behalf of the licensee and that has 34 responsibility for the information security program. 35 -5- LSB 1335XD (6) 89 ko/rn 5/ 26

S.F. _____ H.F. _____ b. Identifies reasonably foreseeable internal or external 1 threats that may result in unauthorized access, transmission, 2 disclosure, misuse, alteration, or destruction of nonpublic 3 information, including nonpublic information that is accessible 4 to, or held by, a third-party service provider. 5 c. Assesses the probability of, and the potential damage 6 caused by, the threats identified in paragraph “b” , taking into 7 consideration the sensitivity of nonpublic information. 8 d. Assesses the sufficiency of policies, procedures, 9 information systems, and other safeguards in place to manage 10 the threats identified in paragraph “b” . This assessment must 11 include consideration of threats identified in each relevant 12 area of the licensee’s operations, including all of the 13 following: 14 (1) Employee training and management. 15 (2) Information systems, including network and software 16 design; and information classification, governance, processing, 17 storage, transmission, and disposal. 18 (3) Detection, prevention, and response to an attack, 19 intrusion, or other system failure. 20 e. Implements information safeguards to manage threats 21 identified in the licensee’s ongoing risk assessments and, at 22 least annually, assesses the effectiveness of the information 23 safeguards’ key controls, systems, and procedures. 24 4. Based on the risk assessment conducted pursuant to 25 subsection 3, a licensee shall do all of the following: 26 a. Develop, implement, and maintain an information security 27 program as described in subsections 1 and 2. 28 b. Determine which of the following security measures are 29 appropriate and implement each appropriate security measure: 30 (1) Place access controls on information systems, including 31 controls to authenticate and permit access only to authorized 32 individuals to protect against the unauthorized acquisition of 33 nonpublic information. 34 (2) Identify and manage the data, personnel, devices, 35 -6- LSB 1335XD (6) 89 ko/rn 6/ 26

S.F. _____ H.F. _____ systems, and facilities that enable the licensee to achieve 1 its business purposes in accordance with the data, personnel, 2 devices, systems, and facilities relative importance to the 3 licensee’s business objectives and risk strategy. 4 (3) Restrict access of nonpublic information stored in or at 5 physical locations to authorized individuals only. 6 (4) Protect by encryption or other appropriate means, 7 all nonpublic information while the nonpublic information 8 is transmitted over an external network, and all nonpublic 9 information that is stored on a laptop computer, a portable 10 computing or storage device, or portable computing or storage 11 media. 12 (5) Adopt secure development practices for in-house 13 developed applications utilized by the licensee, and procedures 14 for evaluating, assessing, and testing the security of 15 externally developed applications utilized by the licensee. 16 (6) Modify information systems in accordance with the 17 licensee’s information security program. 18 (7) Utilize effective controls, which may include 19 multi-factor authentication procedures for authorized 20 individuals accessing nonpublic information. 21 (8) Regularly test and monitor systems and procedures to 22 detect actual and attempted attacks on, or intrusions into, 23 information systems. 24 (9) Include audit trails within the information security 25 program designed to detect and respond to cybersecurity events, 26 and designed to reconstruct material financial transactions 27 sufficient to support the normal business operations and 28 obligations of the licensee. 29 (10) Implement measures to protect against the destruction, 30 loss, or damage of nonpublic information due to environmental 31 hazards, natural disasters, catastrophes, or technological 32 failures. 33 (11) Develop, implement, and maintain procedures for the 34 secure disposal of nonpublic information that is contained in 35 -7- LSB 1335XD (6) 89 ko/rn 7/ 26

S.F. _____ H.F. _____ any format. 1 c. Include cybersecurity risks in the licensee’s 2 enterprise-wide risk management process. 3 d. Maintain knowledge and understanding of emerging threats 4 or vulnerabilities and utilize reasonable security measures, 5 relative to the character of the sharing and the type of 6 information being shared, when sharing information. 7 e. Provide the licensee’s personnel with cybersecurity 8 awareness training that is updated as necessary to reflect 9 risks identified by the licensee’s risk assessment. 10 5. a. If a licensee has a board of directors, the board 11 or an appropriate committee of the board shall at a minimum 12 require the licensee’s executive management or the executive 13 management’s delegates to: 14 (1) Develop, implement, and maintain the licensee’s 15 information security program. 16 (2) Provide a written report to the board, at least 17 annually, that documents all of the following: 18 (a) The overall status of the licensee’s information 19 security program and the licensee’s compliance with this 20 chapter. 21 (b) Material matters related to the licensee’s information 22 security program including issues such as risk assessment; risk 23 management and control decisions; third-party service provider 24 arrangements; results of testing, cybersecurity events, or 25 violations; management’s response to cybersecurity events or 26 violations; and recommendations for changes in the licensee’s 27 information security program. 28 b. If a licensee’s executive management delegates any of its 29 responsibilities under this section the executive management 30 shall oversee the delegate’s development, implementation, and 31 maintenance of the licensee’s information security program, and 32 shall require the delegate to submit an annual written report 33 to executive management that contains the information required 34 under paragraph “a” , subparagraph (2). If the licensee has a 35 -8- LSB 1335XD (6) 89 ko/rn 8/ 26

S.F. _____ H.F. _____ board of directors, the executive management shall provide a 1 copy of the report to the board. 2 6. A licensee shall monitor, evaluate, and adjust the 3 licensee’s information security program consistent with 4 relevant changes in technology, the sensitivity of the 5 licensee’s nonpublic information, changes to the licensee’s 6 information systems, internal or external threats to the 7 licensee’s nonpublic information, and the licensee’s changing 8 business arrangements, including but not limited to mergers and 9 acquisitions, alliances and joint ventures, and outsourcing 10 arrangements. 11 7. As part of a licensee’s information security program, 12 a licensee shall establish a written incident response 13 plan designed to promptly respond to, and recover from, a 14 cybersecurity event that compromises the confidentiality, 15 integrity, or availability of nonpublic information in the 16 licensee’s possession, the licensee’s information systems, or 17 the continuing functionality of any aspect of the licensee’s 18 operations. The written incident response plan must address 19 all of the following: 20 a. The licensee’s internal process for responding to a 21 cybersecurity event. 22 b. The goals of the licensee’s incident response plan. 23 c. The assignment of clear roles, responsibilities, 24 and levels of decision-making authority for the licensee’s 25 personnel that participate in the incident response plan. 26 d. External communications, internal communications, and 27 information sharing related to a cybersecurity event. 28 e. The identification of remediation requirements for 29 weaknesses identified in information systems and associated 30 controls. 31 f. Documentation and reporting regarding cybersecurity 32 events and related incident response activities. 33 g. The evaluation and revision of the incident response 34 plan, as appropriate, following a cybersecurity event. 35 -9- LSB 1335XD (6) 89 ko/rn 9/ 26

S.F. _____ H.F. _____ 8. An insurer domiciled in this state shall annually 1 submit to the commissioner on or before April 15 a written 2 certification that the insurer is in compliance with this 3 section. Each insurer shall maintain all records, schedules, 4 documentation, and data supporting the insurer’s certification 5 for five years. To the extent an insurer has identified an 6 area, system, or process that requires material improvement, 7 updating, or redesign, the insurer shall document the process 8 used to identify the area, system, or process, and the 9 remediation that has been implemented, or will be implemented, 10 to address the area, system, or process. All records, 11 schedules, documentation, and data described in this subsection 12 shall be made available for inspection by the commissioner, 13 or the commissioner’s representative, upon request of the 14 commissioner. 15 9. Licensees shall comply with this section no later than 16 January 1, 2023. 17 Sec. 5. NEW SECTION . 507F.5 Third-party service provider 18 arrangements. 19 1. A licensee shall exercise due diligence in the selection 20 of third-party service providers, conduct oversight of 21 all third-party service provider arrangements, and require 22 all third-party service providers to implement appropriate 23 administrative, technical, and physical measures to protect 24 and secure the information systems and nonpublic information 25 that are accessible to, or held by, the licensee’s third-party 26 service providers. 27 2. Licensees shall comply with this section no later than 28 January 1, 2024. 29 Sec. 6. NEW SECTION . 507F.6 Cybersecurity event —— 30 investigation. 31 1. If a licensee discovers that a cybersecurity event has 32 occurred, or that a cybersecurity event may have occurred, the 33 licensee, or the outside vendor or third-party service provider 34 the licensee has designated to act on behalf of the licensee, 35 -10- LSB 1335XD (6) 89 ko/rn 10/ 26

S.F. _____ H.F. _____ shall conduct a prompt investigation of the event. 1 2. During the investigation, the licensee, outside vendor, 2 or third-party service provider the licensee has designated to 3 act on behalf of the licensee, shall, at a minimum, determine 4 as much of the following as possible: 5 a. Confirm that a cybersecurity event has occurred. 6 b. Assess the nature and scope of the cybersecurity event. 7 c. Identify all nonpublic information that may have been 8 compromised by the cybersecurity event. 9 d. Perform or oversee reasonable measures to restore the 10 security of any compromised information systems in order to 11 prevent further unauthorized acquisition, release, or use of 12 nonpublic information that is in the licensee’s possession, 13 custody, or control. 14 3. If a licensee learns that a cybersecurity event has 15 occurred, or may have occurred, in an information system 16 maintained by a third-party service provider of the licensee, 17 the licensee shall complete an investigation in compliance with 18 this section, or confirm and document that the third-party 19 service provider has completed an investigation in compliance 20 with this section. 21 4. A licensee shall maintain all records and documentation 22 related to the licensee’s investigation of a cybersecurity 23 event for a minimum of five years from the date of the event, 24 and shall produce the records and documentation upon demand of 25 the commissioner. 26 Sec. 7. NEW SECTION . 507F.7 Cybersecurity event —— 27 notification and report to the commissioner. 28 1. A licensee shall notify the commissioner no later 29 than three business days from the date of the licensee’s 30 confirmation of a cybersecurity event if any of the following 31 conditions apply: 32 a. The licensee is an insurer who is domiciled in this 33 state, or is a producer whose home state is this state, and any 34 of the following apply: 35 -11- LSB 1335XD (6) 89 ko/rn 11/ 26

S.F. _____ H.F. _____ (1) State or federal law requires that notice of the 1 cybersecurity event be given by the licensee to a government 2 body, self-regulatory agency, or other supervisory body. 3 (2) The cybersecurity event has a reasonable likelihood 4 of causing material harm to a material part of the normal 5 business, operations, or security of the licensee. 6 b. The licensee reasonably believes that nonpublic 7 information compromised by the cybersecurity event involves two 8 hundred fifty or more consumers and either of the following 9 apply: 10 (1) State or federal law requires that notice of the 11 cybersecurity event be given by the licensee to a government 12 body, self-regulatory agency, or other supervisory body. 13 (2) The cybersecurity event has a reasonable likelihood of 14 causing material harm to a consumer, or to a material part of 15 the normal business, operations, or security of the licensee. 16 2. A licensee’s notification to the commissioner pursuant 17 to subsection 1 shall provide, in the form and manner 18 prescribed by the commissioner by rule, as much of the 19 following information as is available to the licensee at the 20 time of the notification: 21 a. The date and time of the cybersecurity event. 22 b. A description of how nonpublic information was exposed, 23 lost, stolen, or breached, including the specific roles 24 and responsibilities of the licensee’s third-party service 25 providers, if any. 26 c. How the licensee discovered or became aware of the 27 cybersecurity event. 28 d. If any lost, stolen, or breached nonpublic information 29 has been recovered and if so, how the recovery occurred. 30 e. The identity of the source of the cybersecurity event. 31 f. The identity of any regulatory, governmental, or law 32 enforcement agencies the licensee has notified, and the date 33 and time of each notification. 34 g. A description of the specific types of nonpublic 35 -12- LSB 1335XD (6) 89 ko/rn 12/ 26

S.F. _____ H.F. _____ information that were lost, stolen, or breached. 1 h. The total number of consumers affected by the 2 cybersecurity event. The licensee shall provide the best 3 estimate of affected consumers in the licensee’s initial report 4 to the commissioner and shall update the estimate in each 5 subsequent report to the commissioner under subsection 3. 6 i. The results of any internal review conducted by the 7 licensee that identified a lapse in the licensee’s automated 8 controls or internal procedures, or that confirmed the 9 licensee’s compliance with all automated controls or internal 10 procedures. 11 j. A description of the licensee’s efforts to remediate the 12 circumstances that allowed the cybersecurity event. 13 k. A copy of the licensee’s privacy policy. 14 l. A statement outlining the steps the licensee is taking 15 to identify and notify consumers affected by the cybersecurity 16 event. 17 m. The contact information for the individual authorized 18 to act on behalf of the licensee and who is also knowledgeable 19 regarding the cybersecurity event. 20 3. A licensee shall have a continuing obligation to update 21 and supplement the licensee’s initial notification to the 22 commissioner as material changes to information previously 23 provided to the commissioner occur. 24 Sec. 8. NEW SECTION . 507F.8 Cybersecurity event —— 25 notification to consumers. 26 1. In the event of a cybersecurity event involving nonpublic 27 information, consumer notification shall be made by the 28 licensee in the most expeditious manner possible and without 29 unreasonable delay consistent with the legitimate needs of law 30 enforcement as provided in subsection 2, and consistent with 31 any measures necessary for the licensee to identify contact 32 information for the affected consumers, determine the scope 33 of the cybersecurity event, and to restore the integrity, 34 security, and confidentiality of the licensee’s information 35 -13- LSB 1335XD (6) 89 ko/rn 13/ 26

S.F. _____ H.F. _____ system. 1 2. The consumer notification requirements under this 2 section may be delayed if a law enforcement agency determines 3 that consumer notification may impede a criminal investigation 4 and the agency has made a written request to the licensee to 5 delay the notification. The consumer notification required by 6 this section shall be made after the law enforcement agency 7 determines that the notification will not compromise the 8 investigation and provides written notice to the licensee that 9 consumer notification can proceed. 10 3. a. For purposes of this section, notification to an 11 affected consumer shall be provided by one of the following 12 methods: 13 (1) Written notice to the consumer’s last known address that 14 the licensee has in the licensee’s records. 15 (2) If the licensee’s customary method of communication 16 with an affected consumer is by electronic means, or is 17 consistent with the applicable provisions regarding electronic 18 records and signatures set forth in chapter 554D and the 19 federal Electronic Signatures in Global and National Commerce 20 Act, 15 U.S.C. §7001, the notice may be delivered by electronic 21 means. 22 b. If a licensee demonstrates to the satisfaction of the 23 commissioner that the cost of providing notice to affected 24 consumers will exceed two hundred fifty thousand dollars, or 25 that the class of affected consumers exceeds three hundred 26 fifty thousand persons, or that the licensee does not have 27 sufficient contact information for an affected consumer to 28 provide notice, substitute notice may be used and must consist 29 of the following: 30 (1) Notice shall be delivered by electronic means if 31 the licensee has an electronic mail address for an affected 32 consumer in the licensee’s records. 33 (2) Conspicuous posting of the notice, or a link to the 34 notice, on the internet site of the licensee if the licensee 35 -14- LSB 1335XD (6) 89 ko/rn 14/ 26

S.F. _____ H.F. _____ maintains an internet site. 1 (3) Notification via major statewide media and local media 2 in all counties in which an affected consumer resides. 3 c. If a licensee is required to provide notice of a 4 cybersecurity event to the commissioner pursuant to section 5 507F.7, subsection 1, the licensee shall submit to the 6 commissioner a copy of all consumer notices provided by the 7 licensee to affected consumers under this section. 8 4. Consumer notice pursuant to this section shall include, 9 at a minimum, all of the following: 10 a. A description of the cybersecurity event. 11 b. The approximate date and time of the cybersecurity event. 12 c. The type of nonpublic information involved in the 13 cybersecurity event. 14 d. The current telephone number, internet site, and mailing 15 address of the three largest nationwide consumer reporting 16 agencies. 17 e. Advice to the consumer to report suspected incidents of 18 identity theft related to the cybersecurity event to local law 19 enforcement or the attorney general. 20 5. Notwithstanding subsection 1, notification is not 21 required if after an investigation pursuant to section 507F.6, 22 or after consultation with appropriate federal, state, or local 23 law enforcement agencies, a licensee determines that there is 24 no reasonable likelihood of financial harm to consumers whose 25 nonpublic information is affected by a cybersecurity event. 26 Such determination must be documented by the licensee in 27 writing, maintained for a minimum of five years from the date 28 of the determination, and made available to the commissioner 29 for inspection upon request of the commissioner. 30 6. A licensee that was subject to a cybersecurity event 31 requiring notification to more than five hundred consumers 32 pursuant to this section shall give written notice of the event 33 to the director of the consumer protection division of the 34 office of the attorney general within five business days of 35 -15- LSB 1335XD (6) 89 ko/rn 15/ 26

S.F. _____ H.F. _____ the date the first notice is provided to an affected consumer 1 pursuant to this section. 2 Sec. 9. NEW SECTION . 507F.9 Cybersecurity event —— 3 third-party service providers. 4 1. If a licensee becomes aware of a cybersecurity 5 event in an information system maintained by a third-party 6 service provider of the licensee, the licensee shall comply 7 with section 507F.7, or the licensee may obtain a written 8 certification from the third-party service provider that 9 the provider is in compliance with section 507F.7. If the 10 third-party provider fails to provide written certification to 11 the licensee, the licensee shall comply with section 507F.7. 12 The computation of the licensee’s deadlines pursuant to section 13 507F.7 shall begin on the business day after the date on 14 which the licensee’s third-party service provider notifies 15 the licensee of a cybersecurity event, or the date on which 16 the licensee has actual knowledge of the cybersecurity event, 17 whichever date is earlier. 18 2. This section shall not be construed to prohibit or 19 abrogate an agreement between a licensee and another licensee, 20 a third-party service provider, or any other party for the 21 other licensee, third-party service provider, or other party to 22 execute the requirements under section 507F.6 or section 507F.7 23 on behalf of the licensee. 24 Sec. 10. NEW SECTION . 507F.10 Cybersecurity event 25 reinsurers. 26 1. If a cybersecurity event involves nonpublic information 27 used by, or that is in the possession, custody, or control 28 of, a licensee that is acting as an assuming insurer and that 29 does not have a direct contractual relationship with consumers 30 affected by the cybersecurity event, the assuming insurer 31 shall notify each of the assuming insurer’s affected ceding 32 insurers and the commissioner of the assuming insurer’s state 33 of domicile within three business days of determining that a 34 cybersecurity event has occurred. A ceding insurer that has 35 -16- LSB 1335XD (6) 89 ko/rn 16/ 26

S.F. _____ H.F. _____ a direct contractual relationship with a consumer affected by 1 the cybersecurity event shall comply with section 507F.8 and 2 the applicable provisions of section 715C.2, and all other 3 applicable notification requirements pursuant to federal or 4 state law. 5 2. If a cybersecurity event involves nonpublic information 6 that is in the possession, custody, or control of a third-party 7 service provider of a licensee that is acting as an assuming 8 insurer, the assuming insurer shall notify each of the assuming 9 insurer’s affected ceding insurers and the commissioner of the 10 assuming insurer’s state of domicile within three business 11 days of the date the assuming insurer receives notice from 12 the assuming insurer’s third-party service provider that 13 a cybersecurity event involving nonpublic information has 14 occurred. A ceding insurer that has a direct contractual 15 relationship with a consumer affected by the cybersecurity 16 event shall comply with section 507F.8 and the applicable 17 provisions of section 715C.2, and all other applicable 18 notification requirements pursuant to federal or state law. 19 3. Notwithstanding any law to the contrary, a licensee 20 acting as an assuming insurer shall have no other notice 21 obligations related to a cybersecurity event or other data 22 breach than the notice requirements pursuant to subsections 1 23 and 2. 24 Sec. 11. NEW SECTION . 507F.11 Cybersecurity event —— 25 producers of record. 26 If a cybersecurity event involves nonpublic information 27 that is in the possession, custody, or control of a licensee 28 that is an insurer, or in the possession, custody, or control 29 of the insurer’s third-party service provider, and for 30 which a consumer accessed the insurer’s services through an 31 independent insurance producer, the insurer shall notify the 32 insurance producer of record of each consumer affected by the 33 cybersecurity event no later than the date on which notice is 34 provided to affected consumers pursuant to section 507F.7. An 35 -17- LSB 1335XD (6) 89 ko/rn 17/ 26

S.F. _____ H.F. _____ insurer shall not be required to notify an insurance producer 1 that is not authorized by law or contract to sell, solicit, or 2 negotiate on behalf of the insurer, or in a circumstance in 3 which the insurer does not have current contact information for 4 the producer of record for a specific affected consumer. 5 Sec. 12. NEW SECTION . 507F.12 Confidentiality. 6 1. Documents, materials, and other information in the 7 control or possession of the commissioner that are furnished 8 by a licensee, or by an employee or agent of the licensee 9 acting on behalf of the licensee, or that are obtained by 10 the commissioner in an investigation or examination, shall 11 be confidential by law and privileged, shall not constitute 12 a public record under chapter 22, shall not be subject to 13 subpoena or discovery, and shall not be admissible as evidence 14 in a private civil action. The commissioner, however, shall 15 be authorized to use the documents, materials, and other 16 information in the furtherance of a regulatory or legal action 17 brought as part of the commissioner’s official duties. The 18 commissioner shall not otherwise make the documents, materials, 19 and other information public without the prior written consent 20 of the licensee. 21 2. The commissioner, or an individual who receives 22 documents, materials, or other information under the authority 23 of the commissioner, shall not be permitted or required to 24 testify in a private civil action concerning any documents, 25 materials, or other information subject to subsection 1. 26 3. In order to assist in the performance of the 27 commissioner’s duties under this chapter, the commissioner may: 28 a. Share documents, materials, and other information, 29 including documents, materials, and other information subject 30 to subsection 1, with state, federal, and international 31 regulatory agencies; the national association of insurance 32 commissioners, its affiliates and subsidiaries; and with 33 state, federal, and international law enforcement authorities, 34 provided that the recipient certifies in writing that the 35 -18- LSB 1335XD (6) 89 ko/rn 18/ 26

S.F. _____ H.F. _____ recipient will maintain the confidentiality or privileged 1 status of any documents, materials, or other information to 2 which confidentiality or privileged status applies. 3 b. Receive documents, materials, and other information, 4 including confidential and privileged documents, materials, 5 and other information from the national association of 6 insurance commissioners, its affiliates and subsidiaries; 7 and regulatory and law enforcement officials of foreign and 8 domestic jurisdictions. The commissioner shall maintain as 9 confidential or privileged any document, material, or other 10 information received by the commissioner that is confidential 11 or privileged, or that is received with notice or the 12 understanding that it is confidential or privileged, under the 13 laws of the jurisdiction that is the source of the document, 14 material, or other information. 15 c. Share documents, materials, or other information subject 16 to subsection 1 with a third-party consultant or vendor 17 provided that the third-party consultant or vendor certifies 18 in writing that the consultant or vendor will maintain the 19 confidentiality and privileged status of the document, 20 material, or other information. 21 d. Enter into an agreement governing the sharing and use of 22 documents, materials, or other information that is consistent 23 with this subsection. 24 4. No waiver of an applicable privilege or claim of 25 confidentiality in a document, material, or other information 26 shall occur as a result of disclosure of the document, 27 material, or other information to the commissioner under 28 this chapter, or as a result of the sharing of the document, 29 material, or other information as authorized under this 30 section. 31 5. This chapter shall not prohibit the commissioner from 32 releasing final, adjudicated actions that are open to public 33 inspection pursuant to chapter 22, to a database or other 34 clearinghouse service maintained by the national association of 35 -19- LSB 1335XD (6) 89 ko/rn 19/ 26

S.F. _____ H.F. _____ insurance commissioners, or its affiliates and subsidiaries. 1 6. Documents, materials, and other information received 2 by the commissioner under this chapter and shared pursuant to 3 subsection 3, shall be confidential by law and privileged, 4 shall not constitute a public record under chapter 22, shall 5 not be subject to subpoena or discovery, and shall not be 6 admissible as evidence in a private civil action. 7 7. Ownership of documents, materials, and other information 8 shared under this chapter with the national association of 9 insurance commissioners, its affiliates and subsidiaries, 10 or a third-party consultant or vendor, remains with the 11 commissioner, and use of the documents, materials, and 12 other information by the national association of insurance 13 commissioners, its affiliates and subsidiaries, or a 14 third-party consultant or vendor is subject to the direction of 15 the commissioner. 16 Sec. 13. NEW SECTION . 507F.13 Applicability. 17 1. This chapter shall not apply to a licensee that is 18 subject to, and in compliance with, the Health Insurance 19 Portability and Accountability Act. The licensee shall 20 annually submit to the commissioner a written certification of 21 the licensee’s compliance with HIPAA. 22 2. A licensee shall have one hundred eighty days from the 23 date the licensee no longer qualifies for exemption under 24 subsection 1 to comply with this chapter. 25 Sec. 14. NEW SECTION . 507F.14 Penalties. 26 A licensee that violates this chapter shall be subject to 27 penalties pursuant to section 505.7A and chapter 507B. 28 Sec. 15. NEW SECTION . 507F.15 Rules and enforcement. 29 1. The commissioner may adopt rules pursuant to chapter 17A 30 as necessary to administer this chapter. 31 2. The commissioner may take any enforcement action under 32 the commissioner’s authority to enforce compliance with this 33 chapter. 34 Sec. 16. NEW SECTION . 507F.16 Severability. 35 -20- LSB 1335XD (6) 89 ko/rn 20/ 26