Senate
Study
Bill
1190
-
Introduced
SENATE/HOUSE
FILE
_____
BY
(PROPOSED
DEPARTMENT
OF
COMMERCE/INSURANCE
DIVISION
BILL)
A
BILL
FOR
An
Act
relating
to
standards
for
data
security,
and
1
investigations
and
notifications
of
cybersecurity
events,
2
for
certain
licensees
under
the
jurisdiction
of
the
3
commissioner
of
insurance,
making
penalties
applicable,
and
4
including
effective
date
provisions.
5
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
6
TLSB
1335XD
(6)
89
ko/rn
S.F.
_____
H.F.
_____
Section
1.
NEW
SECTION
.
507F.1
Title.
1
This
chapter
may
be
cited
as
the
“Insurance
Data
Security
2
Act”
.
3
Sec.
2.
NEW
SECTION
.
507F.2
Purpose
and
scope.
4
1.
Notwithstanding
any
provision
of
law
to
the
contrary,
5
this
chapter
establishes
the
exclusive
state
standards
for
6
data
security,
and
the
investigation
and
notification
of
7
cybersecurity
events,
applicable
to
licensees.
8
2.
This
chapter
shall
not
be
construed
to
create
or
imply
9
a
private
cause
of
action
for
a
violation
of
its
provisions,
10
and
shall
not
be
construed
to
curtail
a
private
cause
of
action
11
that
otherwise
exists
in
the
absence
of
this
chapter.
12
Sec.
3.
NEW
SECTION
.
507F.3
Definitions.
13
As
used
in
this
chapter,
unless
the
context
otherwise
14
requires:
15
1.
“Authorized
individual”
means
an
individual
known
to
16
and
screened
by
a
licensee
and
determined
to
be
necessary
and
17
appropriate
to
have
access
to
nonpublic
information
held
by
the
18
licensee
and
the
licensee’s
information
system.
19
2.
“Commissioner”
means
the
commissioner
of
insurance.
20
3.
“Consumer”
means
an
individual,
including
but
not
limited
21
to
an
applicant,
policyholder,
insured,
beneficiary,
claimant,
22
or
certificate
holder,
who
is
a
resident
of
this
state
and
23
whose
nonpublic
information
is
in
a
licensee’s
possession,
24
custody,
or
control.
25
4.
“Cybersecurity
event”
means
an
event
resulting
in
26
unauthorized
access
to,
or
the
disruption
or
misuse
of,
an
27
information
system
or
of
nonpublic
information
stored
on
an
28
information
system.
“Cybersecurity
event”
does
not
include
any
29
of
the
following:
30
a.
The
unauthorized
acquisition
of
encrypted
nonpublic
31
information
if
the
encryption,
process,
or
key
is
not
also
32
acquired,
released,
or
used
without
authorization.
33
b.
An
event
for
which
a
licensee
has
determined
that
the
34
nonpublic
information
accessed
by
an
unauthorized
person
has
35
-1-
LSB
1335XD
(6)
89
ko/rn
1/
26
S.F.
_____
H.F.
_____
not
been
used
or
released,
and
the
nonpublic
information
has
1
been
returned
or
destroyed.
2
5.
“Delivered
by
electronic
means”
means
delivery
to
an
3
electronic
mail
address
at
which
a
consumer
has
consented
to
4
receive
notices
or
documents.
5
6.
“Encrypted”
means
the
transformation
of
data
into
a
form
6
that
results
in
a
low
probability
of
assigning
meaning
to
the
7
data
without
the
use
of
a
protective
process
or
key.
8
7.
“Health
Insurance
Portability
and
Accountability
9
Act”
or
“HIPAA”
means
the
Health
Insurance
Portability
and
10
Accountability
Act
of
1996,
Pub.
L.
No.
104-191,
including
11
amendments
thereto
and
regulations
promulgated
thereunder.
12
8.
“Home
state”
means
the
same
as
defined
in
section
522B.1.
13
9.
“Information
security
program”
means
the
administrative,
14
technical,
and
physical
safeguards
that
a
licensee
uses
15
to
access,
collect,
distribute,
process,
protect,
store,
16
use,
transmit,
dispose
of,
or
otherwise
handle
nonpublic
17
information.
18
10.
“Information
system”
means
a
discrete
set
of
electronic
19
information
resources
organized
for
the
collection,
processing,
20
maintenance,
use,
sharing,
dissemination,
or
disposition
of
21
electronic
information,
and
any
specialized
system
such
as
an
22
industrial
or
process
controls
system,
a
telephone
switching
23
and
private
branch
exchange
system,
or
an
environmental
control
24
system.
25
11.
“Insurer”
means
the
same
as
defined
in
section
521A.1.
26
12.
“Licensee”
means
a
person
licensed,
authorized
to
27
operate,
or
registered,
or
a
person
required
to
be
licensed,
28
authorized
to
operate,
or
registered
pursuant
to
the
insurance
29
laws
of
this
state.
“Licensee”
does
not
include
a
purchasing
30
group
or
a
risk
retention
group
chartered
and
licensed
in
a
31
state
other
than
this
state,
or
a
person
acting
as
an
assuming
32
insurer
that
is
domiciled
in
another
state
or
jurisdiction.
33
13.
“Multi-factor
authentication”
means
authentication
34
through
verification
of
at
least
two
of
the
following
types
of
35
-2-
LSB
1335XD
(6)
89
ko/rn
2/
26
S.F.
_____
H.F.
_____
authentication
factors:
1
a.
A
knowledge
factor,
such
as
a
password.
2
b.
A
possession
factor,
such
as
a
token
or
text
message
on
a
3
mobile
phone.
4
c.
An
inherence
factor,
such
as
a
biometric
characteristic.
5
14.
“Nonpublic
information”
means
electronic
information
6
that
is
not
publicly
available
information
and
that
is
any
of
7
the
following:
8
a.
Business-related
information
of
a
licensee
the
tampering
9
of
which,
or
unauthorized
disclosure,
access,
or
use
of
10
which,
will
cause
a
material
adverse
impact
to
the
business,
11
operations,
or
security
of
the
licensee.
12
b.
Information
concerning
a
consumer
which
can
be
used
to
13
identify
the
consumer
due
to
a
name,
number,
personal
mark,
or
14
other
identifier,
used
in
combination
with
any
one
or
more
of
15
the
following
data
elements:
16
(1)
A
social
security
number.
17
(2)
A
driver’s
license
number
or
a
nondriver
identification
18
card
number.
19
(3)
A
financial
account
number,
a
credit
card
number,
or
a
20
debit
card
number.
21
(4)
A
security
code,
an
access
code,
or
a
password
that
will
22
permit
access
to
a
consumer’s
financial
accounts.
23
(5)
A
biometric
record.
24
c.
Information
or
data,
except
age
or
gender,
in
any
form
or
25
medium
created
by
or
derived
from
a
health
care
provider
or
a
26
consumer,
and
that
relates
to
any
of
the
following:
27
(1)
The
past,
present,
or
future
physical,
mental
or
28
behavioral
health
or
condition
of
a
consumer,
or
a
member
of
29
the
consumer’s
family.
30
(2)
The
provision
of
health
care
services
to
a
consumer.
31
(3)
Payment
for
the
provision
of
health
care
services
to
a
32
consumer.
33
15.
“Person”
means
an
individual
or
a
nongovernmental
34
entity,
including
but
not
limited
to
a
nongovernmental
35
-3-
LSB
1335XD
(6)
89
ko/rn
3/
26
S.F.
_____
H.F.
_____
partnership,
corporation,
branch,
agency,
or
association.
1
16.
“Publicly
available
information”
means
information
2
that
a
licensee
has
a
reasonable
basis
to
believe
is
lawfully
3
made
available
to
the
general
public
from
federal,
state,
or
4
local
government
records,
by
widely
distributed
media,
or
by
5
disclosure
to
the
general
public
as
required
by
federal,
state,
6
or
local
law.
For
purposes
of
this
definition,
a
licensee
has
7
a
reasonable
basis
to
believe
that
information
is
lawfully
made
8
available
to
the
general
public
if
the
licensee
has
determined
9
all
of
the
following:
10
a.
That
the
information
is
of
a
type
that
is
available
to
11
the
general
public.
12
b.
That
if
a
consumer
may
direct
that
the
information
not
13
be
made
available
to
the
general
public,
that
the
consumer
has
14
not
directed
that
the
information
not
be
made
available
to
the
15
general
public.
16
17.
“Risk
assessment”
means
the
assessment
that
a
licensee
17
is
required
to
conduct
pursuant
to
section
507F.4,
subsection
18
3.
19
18.
“Third-party
service
provider”
means
a
person
that
is
20
not
a
licensee
that
contracts
with
a
licensee
to
maintain,
21
process,
store,
or
is
otherwise
permitted
access
to
nonpublic
22
information
through
the
person’s
provision
of
services
to
the
23
licensee.
24
Sec.
4.
NEW
SECTION
.
507F.4
Information
security
program.
25
1.
a.
Commensurate
with
the
size
and
complexity
of
a
26
licensee,
the
nature
and
scope
of
a
licensee’s
activities
27
including
the
licensee’s
use
of
third-party
service
providers,
28
and
the
sensitivity
of
nonpublic
information
used
by
the
29
licensee
or
that
is
in
the
licensee’s
possession,
custody,
or
30
control,
the
licensee
shall
develop,
implement,
and
maintain
a
31
comprehensive
written
information
security
program
based
on
the
32
licensee’s
risk
assessment
conducted
pursuant
to
subsection
3.
33
b.
This
section
shall
not
apply
to
any
of
the
following:
34
(1)
A
licensee
that
meets
any
of
the
following
criteria:
35
-4-
LSB
1335XD
(6)
89
ko/rn
4/
26
S.F.
_____
H.F.
_____
(a)
Has
fewer
than
ten
individuals
on
its
workforce,
1
including
employees
and
independent
contractors.
2
(b)
Has
less
than
five
million
dollars
in
gross
annual
3
revenue.
4
(c)
Has
less
than
ten
million
dollars
in
year-end
total
5
assets.
6
(2)
An
employee,
agent,
representative,
or
designee
of
a
7
licensee,
and
the
employee,
agent,
representative,
or
designee
8
is
also
a
licensee,
if
the
employee,
agent,
representative,
or
9
designee
is
covered
by
the
information
security
program
of
the
10
other
licensee.
11
c.
A
licensee
shall
have
one
hundred
eighty
calendar
days
12
from
the
date
the
licensee
no
longer
qualifies
for
exemption
13
under
paragraph
“b”
to
comply
with
this
section.
14
2.
A
licensee’s
information
security
program
must
be
15
designed
to
do
all
of
the
following:
16
a.
Protect
the
security
and
confidentiality
of
nonpublic
17
information
and
the
security
of
the
licensee’s
information
18
system.
19
b.
Protect
against
threats
or
hazards
to
the
security
20
or
integrity
of
nonpublic
information
and
the
licensee’s
21
information
system.
22
c.
Protect
against
unauthorized
access
to
or
the
use
of
23
nonpublic
information,
and
minimize
the
likelihood
of
harm
to
24
any
consumer.
25
d.
Define
and
periodically
reevaluate
a
schedule
for
26
retention
of
nonpublic
information
and
a
mechanism
for
the
27
destruction
of
nonpublic
information
if
retention
is
no
longer
28
necessary
for
the
licensee’s
business
operations,
or
is
no
29
longer
required
by
applicable
law.
30
3.
A
licensee
shall
conduct
a
risk
assessment
that
31
accomplishes
all
of
the
following:
32
a.
Designates
one
or
more
employees,
an
affiliate,
or
an
33
outside
vendor
to
act
on
behalf
of
the
licensee
and
that
has
34
responsibility
for
the
information
security
program.
35
-5-
LSB
1335XD
(6)
89
ko/rn
5/
26
S.F.
_____
H.F.
_____
b.
Identifies
reasonably
foreseeable
internal
or
external
1
threats
that
may
result
in
unauthorized
access,
transmission,
2
disclosure,
misuse,
alteration,
or
destruction
of
nonpublic
3
information,
including
nonpublic
information
that
is
accessible
4
to,
or
held
by,
a
third-party
service
provider.
5
c.
Assesses
the
probability
of,
and
the
potential
damage
6
caused
by,
the
threats
identified
in
paragraph
“b”
,
taking
into
7
consideration
the
sensitivity
of
nonpublic
information.
8
d.
Assesses
the
sufficiency
of
policies,
procedures,
9
information
systems,
and
other
safeguards
in
place
to
manage
10
the
threats
identified
in
paragraph
“b”
.
This
assessment
must
11
include
consideration
of
threats
identified
in
each
relevant
12
area
of
the
licensee’s
operations,
including
all
of
the
13
following:
14
(1)
Employee
training
and
management.
15
(2)
Information
systems,
including
network
and
software
16
design;
and
information
classification,
governance,
processing,
17
storage,
transmission,
and
disposal.
18
(3)
Detection,
prevention,
and
response
to
an
attack,
19
intrusion,
or
other
system
failure.
20
e.
Implements
information
safeguards
to
manage
threats
21
identified
in
the
licensee’s
ongoing
risk
assessments
and,
at
22
least
annually,
assesses
the
effectiveness
of
the
information
23
safeguards’
key
controls,
systems,
and
procedures.
24
4.
Based
on
the
risk
assessment
conducted
pursuant
to
25
subsection
3,
a
licensee
shall
do
all
of
the
following:
26
a.
Develop,
implement,
and
maintain
an
information
security
27
program
as
described
in
subsections
1
and
2.
28
b.
Determine
which
of
the
following
security
measures
are
29
appropriate
and
implement
each
appropriate
security
measure:
30
(1)
Place
access
controls
on
information
systems,
including
31
controls
to
authenticate
and
permit
access
only
to
authorized
32
individuals
to
protect
against
the
unauthorized
acquisition
of
33
nonpublic
information.
34
(2)
Identify
and
manage
the
data,
personnel,
devices,
35
-6-
LSB
1335XD
(6)
89
ko/rn
6/
26
S.F.
_____
H.F.
_____
systems,
and
facilities
that
enable
the
licensee
to
achieve
1
its
business
purposes
in
accordance
with
the
data,
personnel,
2
devices,
systems,
and
facilities
relative
importance
to
the
3
licensee’s
business
objectives
and
risk
strategy.
4
(3)
Restrict
access
of
nonpublic
information
stored
in
or
at
5
physical
locations
to
authorized
individuals
only.
6
(4)
Protect
by
encryption
or
other
appropriate
means,
7
all
nonpublic
information
while
the
nonpublic
information
8
is
transmitted
over
an
external
network,
and
all
nonpublic
9
information
that
is
stored
on
a
laptop
computer,
a
portable
10
computing
or
storage
device,
or
portable
computing
or
storage
11
media.
12
(5)
Adopt
secure
development
practices
for
in-house
13
developed
applications
utilized
by
the
licensee,
and
procedures
14
for
evaluating,
assessing,
and
testing
the
security
of
15
externally
developed
applications
utilized
by
the
licensee.
16
(6)
Modify
information
systems
in
accordance
with
the
17
licensee’s
information
security
program.
18
(7)
Utilize
effective
controls,
which
may
include
19
multi-factor
authentication
procedures
for
authorized
20
individuals
accessing
nonpublic
information.
21
(8)
Regularly
test
and
monitor
systems
and
procedures
to
22
detect
actual
and
attempted
attacks
on,
or
intrusions
into,
23
information
systems.
24
(9)
Include
audit
trails
within
the
information
security
25
program
designed
to
detect
and
respond
to
cybersecurity
events,
26
and
designed
to
reconstruct
material
financial
transactions
27
sufficient
to
support
the
normal
business
operations
and
28
obligations
of
the
licensee.
29
(10)
Implement
measures
to
protect
against
the
destruction,
30
loss,
or
damage
of
nonpublic
information
due
to
environmental
31
hazards,
natural
disasters,
catastrophes,
or
technological
32
failures.
33
(11)
Develop,
implement,
and
maintain
procedures
for
the
34
secure
disposal
of
nonpublic
information
that
is
contained
in
35
-7-
LSB
1335XD
(6)
89
ko/rn
7/
26
S.F.
_____
H.F.
_____
any
format.
1
c.
Include
cybersecurity
risks
in
the
licensee’s
2
enterprise-wide
risk
management
process.
3
d.
Maintain
knowledge
and
understanding
of
emerging
threats
4
or
vulnerabilities
and
utilize
reasonable
security
measures,
5
relative
to
the
character
of
the
sharing
and
the
type
of
6
information
being
shared,
when
sharing
information.
7
e.
Provide
the
licensee’s
personnel
with
cybersecurity
8
awareness
training
that
is
updated
as
necessary
to
reflect
9
risks
identified
by
the
licensee’s
risk
assessment.
10
5.
a.
If
a
licensee
has
a
board
of
directors,
the
board
11
or
an
appropriate
committee
of
the
board
shall
at
a
minimum
12
require
the
licensee’s
executive
management
or
the
executive
13
management’s
delegates
to:
14
(1)
Develop,
implement,
and
maintain
the
licensee’s
15
information
security
program.
16
(2)
Provide
a
written
report
to
the
board,
at
least
17
annually,
that
documents
all
of
the
following:
18
(a)
The
overall
status
of
the
licensee’s
information
19
security
program
and
the
licensee’s
compliance
with
this
20
chapter.
21
(b)
Material
matters
related
to
the
licensee’s
information
22
security
program
including
issues
such
as
risk
assessment;
risk
23
management
and
control
decisions;
third-party
service
provider
24
arrangements;
results
of
testing,
cybersecurity
events,
or
25
violations;
management’s
response
to
cybersecurity
events
or
26
violations;
and
recommendations
for
changes
in
the
licensee’s
27
information
security
program.
28
b.
If
a
licensee’s
executive
management
delegates
any
of
its
29
responsibilities
under
this
section
the
executive
management
30
shall
oversee
the
delegate’s
development,
implementation,
and
31
maintenance
of
the
licensee’s
information
security
program,
and
32
shall
require
the
delegate
to
submit
an
annual
written
report
33
to
executive
management
that
contains
the
information
required
34
under
paragraph
“a”
,
subparagraph
(2).
If
the
licensee
has
a
35
-8-
LSB
1335XD
(6)
89
ko/rn
8/
26
S.F.
_____
H.F.
_____
board
of
directors,
the
executive
management
shall
provide
a
1
copy
of
the
report
to
the
board.
2
6.
A
licensee
shall
monitor,
evaluate,
and
adjust
the
3
licensee’s
information
security
program
consistent
with
4
relevant
changes
in
technology,
the
sensitivity
of
the
5
licensee’s
nonpublic
information,
changes
to
the
licensee’s
6
information
systems,
internal
or
external
threats
to
the
7
licensee’s
nonpublic
information,
and
the
licensee’s
changing
8
business
arrangements,
including
but
not
limited
to
mergers
and
9
acquisitions,
alliances
and
joint
ventures,
and
outsourcing
10
arrangements.
11
7.
As
part
of
a
licensee’s
information
security
program,
12
a
licensee
shall
establish
a
written
incident
response
13
plan
designed
to
promptly
respond
to,
and
recover
from,
a
14
cybersecurity
event
that
compromises
the
confidentiality,
15
integrity,
or
availability
of
nonpublic
information
in
the
16
licensee’s
possession,
the
licensee’s
information
systems,
or
17
the
continuing
functionality
of
any
aspect
of
the
licensee’s
18
operations.
The
written
incident
response
plan
must
address
19
all
of
the
following:
20
a.
The
licensee’s
internal
process
for
responding
to
a
21
cybersecurity
event.
22
b.
The
goals
of
the
licensee’s
incident
response
plan.
23
c.
The
assignment
of
clear
roles,
responsibilities,
24
and
levels
of
decision-making
authority
for
the
licensee’s
25
personnel
that
participate
in
the
incident
response
plan.
26
d.
External
communications,
internal
communications,
and
27
information
sharing
related
to
a
cybersecurity
event.
28
e.
The
identification
of
remediation
requirements
for
29
weaknesses
identified
in
information
systems
and
associated
30
controls.
31
f.
Documentation
and
reporting
regarding
cybersecurity
32
events
and
related
incident
response
activities.
33
g.
The
evaluation
and
revision
of
the
incident
response
34
plan,
as
appropriate,
following
a
cybersecurity
event.
35
-9-
LSB
1335XD
(6)
89
ko/rn
9/
26
S.F.
_____
H.F.
_____
8.
An
insurer
domiciled
in
this
state
shall
annually
1
submit
to
the
commissioner
on
or
before
April
15
a
written
2
certification
that
the
insurer
is
in
compliance
with
this
3
section.
Each
insurer
shall
maintain
all
records,
schedules,
4
documentation,
and
data
supporting
the
insurer’s
certification
5
for
five
years.
To
the
extent
an
insurer
has
identified
an
6
area,
system,
or
process
that
requires
material
improvement,
7
updating,
or
redesign,
the
insurer
shall
document
the
process
8
used
to
identify
the
area,
system,
or
process,
and
the
9
remediation
that
has
been
implemented,
or
will
be
implemented,
10
to
address
the
area,
system,
or
process.
All
records,
11
schedules,
documentation,
and
data
described
in
this
subsection
12
shall
be
made
available
for
inspection
by
the
commissioner,
13
or
the
commissioner’s
representative,
upon
request
of
the
14
commissioner.
15
9.
Licensees
shall
comply
with
this
section
no
later
than
16
January
1,
2023.
17
Sec.
5.
NEW
SECTION
.
507F.5
Third-party
service
provider
18
arrangements.
19
1.
A
licensee
shall
exercise
due
diligence
in
the
selection
20
of
third-party
service
providers,
conduct
oversight
of
21
all
third-party
service
provider
arrangements,
and
require
22
all
third-party
service
providers
to
implement
appropriate
23
administrative,
technical,
and
physical
measures
to
protect
24
and
secure
the
information
systems
and
nonpublic
information
25
that
are
accessible
to,
or
held
by,
the
licensee’s
third-party
26
service
providers.
27
2.
Licensees
shall
comply
with
this
section
no
later
than
28
January
1,
2024.
29
Sec.
6.
NEW
SECTION
.
507F.6
Cybersecurity
event
——
30
investigation.
31
1.
If
a
licensee
discovers
that
a
cybersecurity
event
has
32
occurred,
or
that
a
cybersecurity
event
may
have
occurred,
the
33
licensee,
or
the
outside
vendor
or
third-party
service
provider
34
the
licensee
has
designated
to
act
on
behalf
of
the
licensee,
35
-10-
LSB
1335XD
(6)
89
ko/rn
10/
26
S.F.
_____
H.F.
_____
shall
conduct
a
prompt
investigation
of
the
event.
1
2.
During
the
investigation,
the
licensee,
outside
vendor,
2
or
third-party
service
provider
the
licensee
has
designated
to
3
act
on
behalf
of
the
licensee,
shall,
at
a
minimum,
determine
4
as
much
of
the
following
as
possible:
5
a.
Confirm
that
a
cybersecurity
event
has
occurred.
6
b.
Assess
the
nature
and
scope
of
the
cybersecurity
event.
7
c.
Identify
all
nonpublic
information
that
may
have
been
8
compromised
by
the
cybersecurity
event.
9
d.
Perform
or
oversee
reasonable
measures
to
restore
the
10
security
of
any
compromised
information
systems
in
order
to
11
prevent
further
unauthorized
acquisition,
release,
or
use
of
12
nonpublic
information
that
is
in
the
licensee’s
possession,
13
custody,
or
control.
14
3.
If
a
licensee
learns
that
a
cybersecurity
event
has
15
occurred,
or
may
have
occurred,
in
an
information
system
16
maintained
by
a
third-party
service
provider
of
the
licensee,
17
the
licensee
shall
complete
an
investigation
in
compliance
with
18
this
section,
or
confirm
and
document
that
the
third-party
19
service
provider
has
completed
an
investigation
in
compliance
20
with
this
section.
21
4.
A
licensee
shall
maintain
all
records
and
documentation
22
related
to
the
licensee’s
investigation
of
a
cybersecurity
23
event
for
a
minimum
of
five
years
from
the
date
of
the
event,
24
and
shall
produce
the
records
and
documentation
upon
demand
of
25
the
commissioner.
26
Sec.
7.
NEW
SECTION
.
507F.7
Cybersecurity
event
——
27
notification
and
report
to
the
commissioner.
28
1.
A
licensee
shall
notify
the
commissioner
no
later
29
than
three
business
days
from
the
date
of
the
licensee’s
30
confirmation
of
a
cybersecurity
event
if
any
of
the
following
31
conditions
apply:
32
a.
The
licensee
is
an
insurer
who
is
domiciled
in
this
33
state,
or
is
a
producer
whose
home
state
is
this
state,
and
any
34
of
the
following
apply:
35
-11-
LSB
1335XD
(6)
89
ko/rn
11/
26
S.F.
_____
H.F.
_____
(1)
State
or
federal
law
requires
that
notice
of
the
1
cybersecurity
event
be
given
by
the
licensee
to
a
government
2
body,
self-regulatory
agency,
or
other
supervisory
body.
3
(2)
The
cybersecurity
event
has
a
reasonable
likelihood
4
of
causing
material
harm
to
a
material
part
of
the
normal
5
business,
operations,
or
security
of
the
licensee.
6
b.
The
licensee
reasonably
believes
that
nonpublic
7
information
compromised
by
the
cybersecurity
event
involves
two
8
hundred
fifty
or
more
consumers
and
either
of
the
following
9
apply:
10
(1)
State
or
federal
law
requires
that
notice
of
the
11
cybersecurity
event
be
given
by
the
licensee
to
a
government
12
body,
self-regulatory
agency,
or
other
supervisory
body.
13
(2)
The
cybersecurity
event
has
a
reasonable
likelihood
of
14
causing
material
harm
to
a
consumer,
or
to
a
material
part
of
15
the
normal
business,
operations,
or
security
of
the
licensee.
16
2.
A
licensee’s
notification
to
the
commissioner
pursuant
17
to
subsection
1
shall
provide,
in
the
form
and
manner
18
prescribed
by
the
commissioner
by
rule,
as
much
of
the
19
following
information
as
is
available
to
the
licensee
at
the
20
time
of
the
notification:
21
a.
The
date
and
time
of
the
cybersecurity
event.
22
b.
A
description
of
how
nonpublic
information
was
exposed,
23
lost,
stolen,
or
breached,
including
the
specific
roles
24
and
responsibilities
of
the
licensee’s
third-party
service
25
providers,
if
any.
26
c.
How
the
licensee
discovered
or
became
aware
of
the
27
cybersecurity
event.
28
d.
If
any
lost,
stolen,
or
breached
nonpublic
information
29
has
been
recovered
and
if
so,
how
the
recovery
occurred.
30
e.
The
identity
of
the
source
of
the
cybersecurity
event.
31
f.
The
identity
of
any
regulatory,
governmental,
or
law
32
enforcement
agencies
the
licensee
has
notified,
and
the
date
33
and
time
of
each
notification.
34
g.
A
description
of
the
specific
types
of
nonpublic
35
-12-
LSB
1335XD
(6)
89
ko/rn
12/
26
S.F.
_____
H.F.
_____
information
that
were
lost,
stolen,
or
breached.
1
h.
The
total
number
of
consumers
affected
by
the
2
cybersecurity
event.
The
licensee
shall
provide
the
best
3
estimate
of
affected
consumers
in
the
licensee’s
initial
report
4
to
the
commissioner
and
shall
update
the
estimate
in
each
5
subsequent
report
to
the
commissioner
under
subsection
3.
6
i.
The
results
of
any
internal
review
conducted
by
the
7
licensee
that
identified
a
lapse
in
the
licensee’s
automated
8
controls
or
internal
procedures,
or
that
confirmed
the
9
licensee’s
compliance
with
all
automated
controls
or
internal
10
procedures.
11
j.
A
description
of
the
licensee’s
efforts
to
remediate
the
12
circumstances
that
allowed
the
cybersecurity
event.
13
k.
A
copy
of
the
licensee’s
privacy
policy.
14
l.
A
statement
outlining
the
steps
the
licensee
is
taking
15
to
identify
and
notify
consumers
affected
by
the
cybersecurity
16
event.
17
m.
The
contact
information
for
the
individual
authorized
18
to
act
on
behalf
of
the
licensee
and
who
is
also
knowledgeable
19
regarding
the
cybersecurity
event.
20
3.
A
licensee
shall
have
a
continuing
obligation
to
update
21
and
supplement
the
licensee’s
initial
notification
to
the
22
commissioner
as
material
changes
to
information
previously
23
provided
to
the
commissioner
occur.
24
Sec.
8.
NEW
SECTION
.
507F.8
Cybersecurity
event
——
25
notification
to
consumers.
26
1.
In
the
event
of
a
cybersecurity
event
involving
nonpublic
27
information,
consumer
notification
shall
be
made
by
the
28
licensee
in
the
most
expeditious
manner
possible
and
without
29
unreasonable
delay
consistent
with
the
legitimate
needs
of
law
30
enforcement
as
provided
in
subsection
2,
and
consistent
with
31
any
measures
necessary
for
the
licensee
to
identify
contact
32
information
for
the
affected
consumers,
determine
the
scope
33
of
the
cybersecurity
event,
and
to
restore
the
integrity,
34
security,
and
confidentiality
of
the
licensee’s
information
35
-13-
LSB
1335XD
(6)
89
ko/rn
13/
26
S.F.
_____
H.F.
_____
system.
1
2.
The
consumer
notification
requirements
under
this
2
section
may
be
delayed
if
a
law
enforcement
agency
determines
3
that
consumer
notification
may
impede
a
criminal
investigation
4
and
the
agency
has
made
a
written
request
to
the
licensee
to
5
delay
the
notification.
The
consumer
notification
required
by
6
this
section
shall
be
made
after
the
law
enforcement
agency
7
determines
that
the
notification
will
not
compromise
the
8
investigation
and
provides
written
notice
to
the
licensee
that
9
consumer
notification
can
proceed.
10
3.
a.
For
purposes
of
this
section,
notification
to
an
11
affected
consumer
shall
be
provided
by
one
of
the
following
12
methods:
13
(1)
Written
notice
to
the
consumer’s
last
known
address
that
14
the
licensee
has
in
the
licensee’s
records.
15
(2)
If
the
licensee’s
customary
method
of
communication
16
with
an
affected
consumer
is
by
electronic
means,
or
is
17
consistent
with
the
applicable
provisions
regarding
electronic
18
records
and
signatures
set
forth
in
chapter
554D
and
the
19
federal
Electronic
Signatures
in
Global
and
National
Commerce
20
Act,
15
U.S.C.
§7001,
the
notice
may
be
delivered
by
electronic
21
means.
22
b.
If
a
licensee
demonstrates
to
the
satisfaction
of
the
23
commissioner
that
the
cost
of
providing
notice
to
affected
24
consumers
will
exceed
two
hundred
fifty
thousand
dollars,
or
25
that
the
class
of
affected
consumers
exceeds
three
hundred
26
fifty
thousand
persons,
or
that
the
licensee
does
not
have
27
sufficient
contact
information
for
an
affected
consumer
to
28
provide
notice,
substitute
notice
may
be
used
and
must
consist
29
of
the
following:
30
(1)
Notice
shall
be
delivered
by
electronic
means
if
31
the
licensee
has
an
electronic
mail
address
for
an
affected
32
consumer
in
the
licensee’s
records.
33
(2)
Conspicuous
posting
of
the
notice,
or
a
link
to
the
34
notice,
on
the
internet
site
of
the
licensee
if
the
licensee
35
-14-
LSB
1335XD
(6)
89
ko/rn
14/
26
S.F.
_____
H.F.
_____
maintains
an
internet
site.
1
(3)
Notification
via
major
statewide
media
and
local
media
2
in
all
counties
in
which
an
affected
consumer
resides.
3
c.
If
a
licensee
is
required
to
provide
notice
of
a
4
cybersecurity
event
to
the
commissioner
pursuant
to
section
5
507F.7,
subsection
1,
the
licensee
shall
submit
to
the
6
commissioner
a
copy
of
all
consumer
notices
provided
by
the
7
licensee
to
affected
consumers
under
this
section.
8
4.
Consumer
notice
pursuant
to
this
section
shall
include,
9
at
a
minimum,
all
of
the
following:
10
a.
A
description
of
the
cybersecurity
event.
11
b.
The
approximate
date
and
time
of
the
cybersecurity
event.
12
c.
The
type
of
nonpublic
information
involved
in
the
13
cybersecurity
event.
14
d.
The
current
telephone
number,
internet
site,
and
mailing
15
address
of
the
three
largest
nationwide
consumer
reporting
16
agencies.
17
e.
Advice
to
the
consumer
to
report
suspected
incidents
of
18
identity
theft
related
to
the
cybersecurity
event
to
local
law
19
enforcement
or
the
attorney
general.
20
5.
Notwithstanding
subsection
1,
notification
is
not
21
required
if
after
an
investigation
pursuant
to
section
507F.6,
22
or
after
consultation
with
appropriate
federal,
state,
or
local
23
law
enforcement
agencies,
a
licensee
determines
that
there
is
24
no
reasonable
likelihood
of
financial
harm
to
consumers
whose
25
nonpublic
information
is
affected
by
a
cybersecurity
event.
26
Such
determination
must
be
documented
by
the
licensee
in
27
writing,
maintained
for
a
minimum
of
five
years
from
the
date
28
of
the
determination,
and
made
available
to
the
commissioner
29
for
inspection
upon
request
of
the
commissioner.
30
6.
A
licensee
that
was
subject
to
a
cybersecurity
event
31
requiring
notification
to
more
than
five
hundred
consumers
32
pursuant
to
this
section
shall
give
written
notice
of
the
event
33
to
the
director
of
the
consumer
protection
division
of
the
34
office
of
the
attorney
general
within
five
business
days
of
35
-15-
LSB
1335XD
(6)
89
ko/rn
15/
26
S.F.
_____
H.F.
_____
the
date
the
first
notice
is
provided
to
an
affected
consumer
1
pursuant
to
this
section.
2
Sec.
9.
NEW
SECTION
.
507F.9
Cybersecurity
event
——
3
third-party
service
providers.
4
1.
If
a
licensee
becomes
aware
of
a
cybersecurity
5
event
in
an
information
system
maintained
by
a
third-party
6
service
provider
of
the
licensee,
the
licensee
shall
comply
7
with
section
507F.7,
or
the
licensee
may
obtain
a
written
8
certification
from
the
third-party
service
provider
that
9
the
provider
is
in
compliance
with
section
507F.7.
If
the
10
third-party
provider
fails
to
provide
written
certification
to
11
the
licensee,
the
licensee
shall
comply
with
section
507F.7.
12
The
computation
of
the
licensee’s
deadlines
pursuant
to
section
13
507F.7
shall
begin
on
the
business
day
after
the
date
on
14
which
the
licensee’s
third-party
service
provider
notifies
15
the
licensee
of
a
cybersecurity
event,
or
the
date
on
which
16
the
licensee
has
actual
knowledge
of
the
cybersecurity
event,
17
whichever
date
is
earlier.
18
2.
This
section
shall
not
be
construed
to
prohibit
or
19
abrogate
an
agreement
between
a
licensee
and
another
licensee,
20
a
third-party
service
provider,
or
any
other
party
for
the
21
other
licensee,
third-party
service
provider,
or
other
party
to
22
execute
the
requirements
under
section
507F.6
or
section
507F.7
23
on
behalf
of
the
licensee.
24
Sec.
10.
NEW
SECTION
.
507F.10
Cybersecurity
event
25
reinsurers.
26
1.
If
a
cybersecurity
event
involves
nonpublic
information
27
used
by,
or
that
is
in
the
possession,
custody,
or
control
28
of,
a
licensee
that
is
acting
as
an
assuming
insurer
and
that
29
does
not
have
a
direct
contractual
relationship
with
consumers
30
affected
by
the
cybersecurity
event,
the
assuming
insurer
31
shall
notify
each
of
the
assuming
insurer’s
affected
ceding
32
insurers
and
the
commissioner
of
the
assuming
insurer’s
state
33
of
domicile
within
three
business
days
of
determining
that
a
34
cybersecurity
event
has
occurred.
A
ceding
insurer
that
has
35
-16-
LSB
1335XD
(6)
89
ko/rn
16/
26
S.F.
_____
H.F.
_____
a
direct
contractual
relationship
with
a
consumer
affected
by
1
the
cybersecurity
event
shall
comply
with
section
507F.8
and
2
the
applicable
provisions
of
section
715C.2,
and
all
other
3
applicable
notification
requirements
pursuant
to
federal
or
4
state
law.
5
2.
If
a
cybersecurity
event
involves
nonpublic
information
6
that
is
in
the
possession,
custody,
or
control
of
a
third-party
7
service
provider
of
a
licensee
that
is
acting
as
an
assuming
8
insurer,
the
assuming
insurer
shall
notify
each
of
the
assuming
9
insurer’s
affected
ceding
insurers
and
the
commissioner
of
the
10
assuming
insurer’s
state
of
domicile
within
three
business
11
days
of
the
date
the
assuming
insurer
receives
notice
from
12
the
assuming
insurer’s
third-party
service
provider
that
13
a
cybersecurity
event
involving
nonpublic
information
has
14
occurred.
A
ceding
insurer
that
has
a
direct
contractual
15
relationship
with
a
consumer
affected
by
the
cybersecurity
16
event
shall
comply
with
section
507F.8
and
the
applicable
17
provisions
of
section
715C.2,
and
all
other
applicable
18
notification
requirements
pursuant
to
federal
or
state
law.
19
3.
Notwithstanding
any
law
to
the
contrary,
a
licensee
20
acting
as
an
assuming
insurer
shall
have
no
other
notice
21
obligations
related
to
a
cybersecurity
event
or
other
data
22
breach
than
the
notice
requirements
pursuant
to
subsections
1
23
and
2.
24
Sec.
11.
NEW
SECTION
.
507F.11
Cybersecurity
event
——
25
producers
of
record.
26
If
a
cybersecurity
event
involves
nonpublic
information
27
that
is
in
the
possession,
custody,
or
control
of
a
licensee
28
that
is
an
insurer,
or
in
the
possession,
custody,
or
control
29
of
the
insurer’s
third-party
service
provider,
and
for
30
which
a
consumer
accessed
the
insurer’s
services
through
an
31
independent
insurance
producer,
the
insurer
shall
notify
the
32
insurance
producer
of
record
of
each
consumer
affected
by
the
33
cybersecurity
event
no
later
than
the
date
on
which
notice
is
34
provided
to
affected
consumers
pursuant
to
section
507F.7.
An
35
-17-
LSB
1335XD
(6)
89
ko/rn
17/
26
S.F.
_____
H.F.
_____
insurer
shall
not
be
required
to
notify
an
insurance
producer
1
that
is
not
authorized
by
law
or
contract
to
sell,
solicit,
or
2
negotiate
on
behalf
of
the
insurer,
or
in
a
circumstance
in
3
which
the
insurer
does
not
have
current
contact
information
for
4
the
producer
of
record
for
a
specific
affected
consumer.
5
Sec.
12.
NEW
SECTION
.
507F.12
Confidentiality.
6
1.
Documents,
materials,
and
other
information
in
the
7
control
or
possession
of
the
commissioner
that
are
furnished
8
by
a
licensee,
or
by
an
employee
or
agent
of
the
licensee
9
acting
on
behalf
of
the
licensee,
or
that
are
obtained
by
10
the
commissioner
in
an
investigation
or
examination,
shall
11
be
confidential
by
law
and
privileged,
shall
not
constitute
12
a
public
record
under
chapter
22,
shall
not
be
subject
to
13
subpoena
or
discovery,
and
shall
not
be
admissible
as
evidence
14
in
a
private
civil
action.
The
commissioner,
however,
shall
15
be
authorized
to
use
the
documents,
materials,
and
other
16
information
in
the
furtherance
of
a
regulatory
or
legal
action
17
brought
as
part
of
the
commissioner’s
official
duties.
The
18
commissioner
shall
not
otherwise
make
the
documents,
materials,
19
and
other
information
public
without
the
prior
written
consent
20
of
the
licensee.
21
2.
The
commissioner,
or
an
individual
who
receives
22
documents,
materials,
or
other
information
under
the
authority
23
of
the
commissioner,
shall
not
be
permitted
or
required
to
24
testify
in
a
private
civil
action
concerning
any
documents,
25
materials,
or
other
information
subject
to
subsection
1.
26
3.
In
order
to
assist
in
the
performance
of
the
27
commissioner’s
duties
under
this
chapter,
the
commissioner
may:
28
a.
Share
documents,
materials,
and
other
information,
29
including
documents,
materials,
and
other
information
subject
30
to
subsection
1,
with
state,
federal,
and
international
31
regulatory
agencies;
the
national
association
of
insurance
32
commissioners,
its
affiliates
and
subsidiaries;
and
with
33
state,
federal,
and
international
law
enforcement
authorities,
34
provided
that
the
recipient
certifies
in
writing
that
the
35
-18-
LSB
1335XD
(6)
89
ko/rn
18/
26
S.F.
_____
H.F.
_____
recipient
will
maintain
the
confidentiality
or
privileged
1
status
of
any
documents,
materials,
or
other
information
to
2
which
confidentiality
or
privileged
status
applies.
3
b.
Receive
documents,
materials,
and
other
information,
4
including
confidential
and
privileged
documents,
materials,
5
and
other
information
from
the
national
association
of
6
insurance
commissioners,
its
affiliates
and
subsidiaries;
7
and
regulatory
and
law
enforcement
officials
of
foreign
and
8
domestic
jurisdictions.
The
commissioner
shall
maintain
as
9
confidential
or
privileged
any
document,
material,
or
other
10
information
received
by
the
commissioner
that
is
confidential
11
or
privileged,
or
that
is
received
with
notice
or
the
12
understanding
that
it
is
confidential
or
privileged,
under
the
13
laws
of
the
jurisdiction
that
is
the
source
of
the
document,
14
material,
or
other
information.
15
c.
Share
documents,
materials,
or
other
information
subject
16
to
subsection
1
with
a
third-party
consultant
or
vendor
17
provided
that
the
third-party
consultant
or
vendor
certifies
18
in
writing
that
the
consultant
or
vendor
will
maintain
the
19
confidentiality
and
privileged
status
of
the
document,
20
material,
or
other
information.
21
d.
Enter
into
an
agreement
governing
the
sharing
and
use
of
22
documents,
materials,
or
other
information
that
is
consistent
23
with
this
subsection.
24
4.
No
waiver
of
an
applicable
privilege
or
claim
of
25
confidentiality
in
a
document,
material,
or
other
information
26
shall
occur
as
a
result
of
disclosure
of
the
document,
27
material,
or
other
information
to
the
commissioner
under
28
this
chapter,
or
as
a
result
of
the
sharing
of
the
document,
29
material,
or
other
information
as
authorized
under
this
30
section.
31
5.
This
chapter
shall
not
prohibit
the
commissioner
from
32
releasing
final,
adjudicated
actions
that
are
open
to
public
33
inspection
pursuant
to
chapter
22,
to
a
database
or
other
34
clearinghouse
service
maintained
by
the
national
association
of
35
-19-
LSB
1335XD
(6)
89
ko/rn
19/
26
S.F.
_____
H.F.
_____
insurance
commissioners,
or
its
affiliates
and
subsidiaries.
1
6.
Documents,
materials,
and
other
information
received
2
by
the
commissioner
under
this
chapter
and
shared
pursuant
to
3
subsection
3,
shall
be
confidential
by
law
and
privileged,
4
shall
not
constitute
a
public
record
under
chapter
22,
shall
5
not
be
subject
to
subpoena
or
discovery,
and
shall
not
be
6
admissible
as
evidence
in
a
private
civil
action.
7
7.
Ownership
of
documents,
materials,
and
other
information
8
shared
under
this
chapter
with
the
national
association
of
9
insurance
commissioners,
its
affiliates
and
subsidiaries,
10
or
a
third-party
consultant
or
vendor,
remains
with
the
11
commissioner,
and
use
of
the
documents,
materials,
and
12
other
information
by
the
national
association
of
insurance
13
commissioners,
its
affiliates
and
subsidiaries,
or
a
14
third-party
consultant
or
vendor
is
subject
to
the
direction
of
15
the
commissioner.
16
Sec.
13.
NEW
SECTION
.
507F.13
Applicability.
17
1.
This
chapter
shall
not
apply
to
a
licensee
that
is
18
subject
to,
and
in
compliance
with,
the
Health
Insurance
19
Portability
and
Accountability
Act.
The
licensee
shall
20
annually
submit
to
the
commissioner
a
written
certification
of
21
the
licensee’s
compliance
with
HIPAA.
22
2.
A
licensee
shall
have
one
hundred
eighty
days
from
the
23
date
the
licensee
no
longer
qualifies
for
exemption
under
24
subsection
1
to
comply
with
this
chapter.
25
Sec.
14.
NEW
SECTION
.
507F.14
Penalties.
26
A
licensee
that
violates
this
chapter
shall
be
subject
to
27
penalties
pursuant
to
section
505.7A
and
chapter
507B.
28
Sec.
15.
NEW
SECTION
.
507F.15
Rules
and
enforcement.
29
1.
The
commissioner
may
adopt
rules
pursuant
to
chapter
17A
30
as
necessary
to
administer
this
chapter.
31
2.
The
commissioner
may
take
any
enforcement
action
under
32
the
commissioner’s
authority
to
enforce
compliance
with
this
33
chapter.
34
Sec.
16.
NEW
SECTION
.
507F.16
Severability.
35
-20-
LSB
1335XD
(6)
89
ko/rn
20/
26
S.F.
_____
H.F.
_____
If
any
provision
of
this
chapter
or
its
application
to
any
1
person
or
circumstance
is
held
invalid,
the
invalidity
shall
2
not
affect
other
provisions
or
applications
of
this
chapter
3
which
can
be
given
effect
without
the
invalid
provision
or
4
application,
and
to
this
end
the
provisions
of
this
chapter
are
5
severable.
6
Sec.
17.
NEW
SECTION
.
507F.17
Effective
date.
7
This
chapter
takes
effect
January
1,
2022.
8
EXPLANATION
9
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
10
the
explanation’s
substance
by
the
members
of
the
general
assembly.
11
This
bill
relates
to
the
exclusive
state
standards
for
data
12
security,
and
investigations
and
notifications
of
cybersecurity
13
events,
for
certain
licensees
under
the
jurisdiction
of
the
14
commissioner
of
insurance.
The
bill
is
based
on
the
national
15
association
of
insurance
commissioners’
(NAIC)
insurance
data
16
security
model
law.
17
“Licensee”
is
defined
in
the
bill
as
a
person
licensed,
18
authorized
to
operate,
or
registered,
or
required
to
be
19
licensed,
authorized
to
operate,
or
registered
pursuant
to
the
20
insurance
laws
of
this
state.
“Licensee”
does
not
include
21
a
purchasing
group
or
a
risk
retention
group
chartered
and
22
licensed
in
a
state
other
than
this
state,
or
a
person
acting
23
as
an
assuming
insurer
that
is
domiciled
in
another
state
or
24
jurisdiction.
The
bill
does
not
create
or
imply
a
private
25
cause
of
action
for
a
violation
of
its
provisions,
and
does
not
26
curtail
a
private
cause
of
action
that
would
otherwise
exist
in
27
the
absence
of
the
bill.
28
The
bill
requires
licensees
to
develop,
implement,
and
29
maintain
a
comprehensive
written
information
security
program
30
(program)
based
on
the
licensee’s
risk
assessment
(assessment)
31
conducted
pursuant
to
the
bill.
Licensees
must
comply
with
32
the
program
requirements
no
later
than
January
1,
2023.
The
33
program
must
safeguard
the
licensee’s
nonpublic
information
34
and
information
system.
“Information
system”
is
defined
in
35
-21-
LSB
1335XD
(6)
89
ko/rn
21/
26
S.F.
_____
H.F.
_____
the
bill
as
a
discrete
set
of
electronic
information
resources
1
organized
for
the
collection,
processing,
maintenance,
2
use,
sharing,
dissemination,
or
disposition
of
electronic
3
information,
and
any
specialized
system
such
as
an
industrial
4
or
process
controls
system,
a
telephone
switching
and
private
5
branch
exchange
system,
or
an
environmental
control
system.
6
“Nonpublic
information”
is
also
defined
in
the
bill.
Certain
7
licensees
and
other
persons
are
exempt
from
the
program
8
requirement
as
detailed
in
the
bill.
The
bill
requires
a
9
licensee’s
program
to
protect
the
security
and
confidentiality
10
of
nonpublic
information
and
the
security
of
the
information
11
system,
to
protect
against
threats
or
hazards
to
the
security
12
or
integrity
of
nonpublic
information
and
the
information
13
system,
to
protect
against
unauthorized
access
to
or
the
use
of
14
nonpublic
information,
to
minimize
the
likelihood
of
harm
to
15
consumers,
and
to
define
and
periodically
reevaluate
a
schedule
16
for
the
retention
and
destruction
of
nonpublic
information.
17
A
licensee’s
assessment
must
designate
one
or
more
18
employees,
an
affiliate,
or
an
outside
vendor
to
act
on
19
behalf
of
the
licensee
and
to
have
responsibility
for
the
20
program;
identify
reasonably
foreseeable
internal
or
external
21
threats
that
may
result
in
unauthorized
access,
transmission,
22
disclosure,
misuse,
alteration,
or
destruction
of
nonpublic
23
information,
including
nonpublic
information
that
is
accessible
24
to,
or
held
by,
a
third-party
service
provider;
assess
the
25
probability
of
and
the
potential
damage
caused
by
identified
26
threats;
and
assess
the
sufficiency
of
policies,
procedures,
27
information
systems,
and
other
safeguards
in
place
to
manage
28
identified
threats.
The
assessment
must
include
consideration
29
of
threats
identified
in
each
relevant
area
of
the
licensee’s
30
operations.
31
Based
on
a
licensee’s
assessment,
the
bill
requires
32
the
licensee
to
design
the
program
to
mitigate
identified
33
risks,
to
determine
and
implement
appropriate
security
34
measures,
to
include
cybersecurity
risks
in
the
licensee’s
35
-22-
LSB
1335XD
(6)
89
ko/rn
22/
26
S.F.
_____
H.F.
_____
enterprise-wide
risk
management
process,
to
maintain
knowledge
1
and
understanding
of
emerging
threats
or
vulnerabilities,
to
2
utilize
reasonable
security
measures
when
sharing
information,
3
and
to
provide
the
licensee’s
personnel
with
cybersecurity
4
awareness
training.
5
If
a
licensee
has
a
board
of
directors,
the
bill
directs
6
the
board
to
require
the
licensee’s
executive
management
7
or
its
delegates
to
develop,
implement,
and
maintain
the
8
licensee’s
program,
and
to
provide
an
annual
report
to
the
9
board
that
documents
the
information
specified
in
the
bill.
10
If
a
licensee’s
executive
management
delegates
any
of
its
11
responsibilities,
it
must
oversee
the
delegate’s
development,
12
implementation,
and
maintenance
of
the
licensee’s
program.
13
As
part
of
a
licensee’s
program,
the
bill
requires
the
14
licensee
to
establish
a
written
incident
response
plan
(plan)
15
designed
to
respond
to,
and
recover
from,
a
cybersecurity
16
event
that
compromises
the
confidentiality,
integrity,
or
17
availability
of
nonpublic
information
in
the
licensee’s
18
possession
or
information
systems;
or
that
compromises
19
the
continuing
functionality
of
the
licensee’s
operations.
20
The
plan
must
address
all
criteria
specified
in
the
bill.
21
“Cybersecurity
event”
is
defined
in
the
bill
as
an
event
22
resulting
in
unauthorized
access
to,
or
the
disruption
or
23
misuse
of,
an
information
system
or
of
nonpublic
information
24
stored
on
an
information
system.
“Cybersecurity
event”
does
25
not
include
the
unauthorized
acquisition
of
encrypted
nonpublic
26
information
if
the
encryption,
process,
or
key
is
not
also
27
acquired,
released,
or
used
without
authorization;
or
an
28
event
for
which
a
licensee
has
determined
that
the
nonpublic
29
information
accessed
by
an
unauthorized
person
has
not
been
30
used
or
released,
and
the
nonpublic
information
has
been
31
returned
or
destroyed.
Insurers
domiciled
in
this
state
must
32
submit
an
annual
certification
to
the
commissioner
that
the
33
insurer
is
in
compliance
with
the
plan
requirements.
34
The
bill
requires
a
licensee
to
exercise
due
diligence
in
35
-23-
LSB
1335XD
(6)
89
ko/rn
23/
26
S.F.
_____
H.F.
_____
the
selection
of
a
third-party
service
provider
(provider),
1
to
conduct
oversight
of
all
provider
arrangements,
and
to
2
require
all
providers
to
implement
appropriate
administrative,
3
technical,
and
physical
measures
to
protect
and
secure
4
the
information
systems
and
nonpublic
information
that
are
5
accessible
to,
or
held
by,
the
provider.
Licensees
must
6
comply
with
these
requirements
no
later
than
January
1,
2024.
7
“Third-party
service
provider”
is
defined
in
the
bill
as
a
8
person
that
is
not
a
licensee
that
contracts
with
a
licensee
9
to
maintain,
process,
store,
or
is
otherwise
permitted
access
10
to
nonpublic
information
through
the
person’s
provision
of
11
services
to
the
licensee.
12
If
a
licensee
discovers
that
a
cybersecurity
event
has
13
occurred,
or
that
a
cybersecurity
event
may
have
occurred,
14
the
licensee,
or
the
outside
vendor
or
provider
the
licensee
15
has
designated
to
act
on
behalf
of
the
licensee,
must
conduct
16
a
prompt
investigation
of
the
event
as
detailed
in
the
bill.
17
If
a
licensee
learns
that
a
cybersecurity
event
has
occurred,
18
or
may
have
occurred,
in
an
information
system
maintained
by
19
a
provider
of
the
licensee,
the
licensee
must
complete
the
20
same
type
of
investigation,
or
confirm
and
document
that
the
21
provider
has
completed
such
an
investigation.
A
licensee
22
must
maintain
all
records
and
documentation
related
to
the
23
licensee’s
investigation
for
a
minimum
of
five
years
from
the
24
date
of
the
cybersecurity
event.
25
A
licensee
is
required
to
notify
the
commissioner
no
later
26
than
three
business
days
from
the
date
of
the
licensee’s
27
confirmation
of
a
cybersecurity
event
if
the
licensee
is
an
28
insurer
who
is
domiciled
in
this
state,
or
is
a
producer
whose
29
home
state
is
this
state,
and
state
or
federal
law
requires
30
notice
to
a
government
body,
self-regulatory
agency,
or
other
31
supervisory
body.
A
licensee
must
also
notify
the
commissioner
32
if
the
cybersecurity
event
has
a
reasonable
likelihood
of
33
causing
material
harm
to
a
consumer,
or
to
a
material
part
of
34
the
normal
business,
operations,
or
security
of
the
licensee;
35
-24-
LSB
1335XD
(6)
89
ko/rn
24/
26
S.F.
_____
H.F.
_____
or
the
licensee
reasonably
believes
that
nonpublic
information
1
compromised
by
the
cybersecurity
event
involves
250
or
more
2
consumers
and
state
or
federal
law
requires
notice
to
a
3
government
body,
self-regulatory
agency,
or
other
supervisory
4
body.
The
licensee
must
provide
the
commissioner
with
5
the
information
specified
in
the
bill
and
has
a
continuing
6
obligation
to
update
and
supplement
the
information
as
material
7
changes
to
the
information
occur.
8
In
the
event
of
a
cybersecurity
event
involving
nonpublic
9
information,
the
licensee
must
notify
consumers
as
detailed
10
in
the
bill.
A
licensee
that
has
to
provide
notification
to
11
more
than
500
consumers
must
also
give
written
notice
to
the
12
director
of
the
consumer
protection
division
of
the
office
of
13
the
attorney
general
within
five
business
days
of
the
date
14
the
first
notice
of
the
cybersecurity
event
is
provided
to
an
15
affected
consumer.
The
bill
also
details
the
requirements
16
for
cybersecurity
event
notifications
related
to
providers,
17
reinsurers,
and
producers
of
record.
18
The
bill
details
confidentiality
and
privilege
as
applied
19
to
documents,
materials,
or
other
information
furnished
by
a
20
licensee,
or
that
are
obtained
by
the
commissioner
pursuant
to
21
an
investigation
or
examination,
and
that
are
in
the
control
22
or
possession
of
the
commissioner.
The
bill
details
which
23
documents,
materials,
or
other
information
do
not
constitute
24
a
public
record
under
Code
chapter
22;
are
not
subject
to
25
subpoena
and
discovery;
and
are
not
admissible
in
a
private
26
civil
action.
The
bill
also
describes
how
the
documents,
27
materials,
and
other
information
may
be
shared
or
used
by
the
28
commissioner.
29
The
bill
does
not
apply
to
a
licensee
that
is
subject
to,
30
and
in
compliance
with,
the
Health
Insurance
Portability
and
31
Accountability
Act
of
1996
(HIPAA).
The
licensee
must
submit
32
an
annual
written
certification
to
the
commissioner
of
the
33
licensee’s
compliance
with
HIPAA.
34
A
licensee
that
violates
the
bill
shall
be
subject
to
35
-25-
LSB
1335XD
(6)
89
ko/rn
25/
26
S.F.
_____
H.F.
_____
penalties
pursuant
to
Code
section
505.7A
and
Code
chapter
1
507B.
2
The
commissioner
may
adopt
rules
to
administer
the
bill
3
and
may
take
any
enforcement
action
under
the
commissioner’s
4
authority
to
enforce
compliance
with
the
bill.
5
If
any
provision
of
the
bill,
or
its
application
to
any
6
person
or
circumstance
is
held
invalid,
the
invalidity
does
not
7
affect
other
provisions
or
applications
of
the
bill
which
can
8
be
given
effect
without
the
invalid
provision
or
application.
9
The
bill
takes
effect
January
1,
2022.
10
-26-
LSB
1335XD
(6)
89
ko/rn
26/
26