Print
Senate Study Bill 1190 - IntroducedA Bill ForAn Act 1relating to standards for data security, and
2investigations and notifications of cybersecurity events,
3for certain licensees under the jurisdiction of the
4commissioner of insurance, making penalties applicable, and
5including effective date provisions.
6BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 507F.1 Title.
2This chapter may be cited as the “Insurance Data Security
3Act”.
4 Sec. 2. NEW SECTION. 507F.2 Purpose and scope.
51. Notwithstanding any provision of law to the contrary,
6this chapter establishes the exclusive state standards for
7data security, and the investigation and notification of
8cybersecurity events, applicable to licensees.
92. This chapter shall not be construed to create or imply
10a private cause of action for a violation of its provisions,
11and shall not be construed to curtail a private cause of action
12that otherwise exists in the absence of this chapter.
13 Sec. 3. NEW SECTION. 507F.3 Definitions.
14As used in this chapter, unless the context otherwise
15requires:
161. “Authorized individual” means an individual known to
17and screened by a licensee and determined to be necessary and
18appropriate to have access to nonpublic information held by the
19licensee and the licensee’s information system.
202. “Commissioner” means the commissioner of insurance.
213. “Consumer” means an individual, including but not limited
22to an applicant, policyholder, insured, beneficiary, claimant,
23or certificate holder, who is a resident of this state and
24whose nonpublic information is in a licensee’s possession,
25custody, or control.
264. “Cybersecurity event” means an event resulting in
27unauthorized access to, or the disruption or misuse of, an
28information system or of nonpublic information stored on an
29information system. “Cybersecurity event” does not include any
30of the following:
31a. The unauthorized acquisition of encrypted nonpublic
32information if the encryption, process, or key is not also
33acquired, released, or used without authorization.
34b. An event for which a licensee has determined that the
35nonpublic information accessed by an unauthorized person has
-1-1not been used or released, and the nonpublic information has
2been returned or destroyed.
35. “Delivered by electronic means” means delivery to an
4electronic mail address at which a consumer has consented to
5receive notices or documents.
66. “Encrypted” means the transformation of data into a form
7that results in a low probability of assigning meaning to the
8data without the use of a protective process or key.
97. “Health Insurance Portability and Accountability
10Act” or “HIPAA” means the Health Insurance Portability and
11Accountability Act of 1996, Pub.L. No.104-191, including
12amendments thereto and regulations promulgated thereunder.
138. “Home state” means the same as defined in section 522B.1.
149. “Information security program” means the administrative,
15technical, and physical safeguards that a licensee uses
16to access, collect, distribute, process, protect, store,
17use, transmit, dispose of, or otherwise handle nonpublic
18information.
1910. “Information system” means a discrete set of electronic
20information resources organized for the collection, processing,
21maintenance, use, sharing, dissemination, or disposition of
22electronic information, and any specialized system such as an
23industrial or process controls system, a telephone switching
24and private branch exchange system, or an environmental control
25system.
2611. “Insurer” means the same as defined in section 521A.1.
2712. “Licensee” means a person licensed, authorized to
28operate, or registered, or a person required to be licensed,
29authorized to operate, or registered pursuant to the insurance
30laws of this state. “Licensee” does not include a purchasing
31group or a risk retention group chartered and licensed in a
32state other than this state, or a person acting as an assuming
33insurer that is domiciled in another state or jurisdiction.
3413. “Multi-factor authentication” means authentication
35through verification of at least two of the following types of
-2-1authentication factors:
2a. A knowledge factor, such as a password.
3b. A possession factor, such as a token or text message on a
4mobile phone.
5c. An inherence factor, such as a biometric characteristic.
614. “Nonpublic information” means electronic information
7that is not publicly available information and that is any of
8the following:
9a. Business-related information of a licensee the tampering
10of which, or unauthorized disclosure, access, or use of
11which, will cause a material adverse impact to the business,
12operations, or security of the licensee.
13b. Information concerning a consumer which can be used to
14identify the consumer due to a name, number, personal mark, or
15other identifier, used in combination with any one or more of
16the following data elements:
17(1) A social security number.
18(2) A driver’s license number or a nondriver identification
19card number.
20(3) A financial account number, a credit card number, or a
21debit card number.
22(4) A security code, an access code, or a password that will
23permit access to a consumer’s financial accounts.
24(5) A biometric record.
25c. Information or data, except age or gender, in any form or
26medium created by or derived from a health care provider or a
27consumer, and that relates to any of the following:
28(1) The past, present, or future physical, mental or
29behavioral health or condition of a consumer, or a member of
30the consumer’s family.
31(2) The provision of health care services to a consumer.
32(3) Payment for the provision of health care services to a
33consumer.
3415. “Person” means an individual or a nongovernmental
35entity, including but not limited to a nongovernmental
-3-1partnership, corporation, branch, agency, or association.
216. “Publicly available information” means information
3that a licensee has a reasonable basis to believe is lawfully
4made available to the general public from federal, state, or
5local government records, by widely distributed media, or by
6disclosure to the general public as required by federal, state,
7or local law. For purposes of this definition, a licensee has
8a reasonable basis to believe that information is lawfully made
9available to the general public if the licensee has determined
10all of the following:
11a. That the information is of a type that is available to
12the general public.
13b. That if a consumer may direct that the information not
14be made available to the general public, that the consumer has
15not directed that the information not be made available to the
16general public.
1717. “Risk assessment” means the assessment that a licensee
18is required to conduct pursuant to section 507F.4, subsection
193.
2018. “Third-party service provider” means a person that is
21not a licensee that contracts with a licensee to maintain,
22process, store, or is otherwise permitted access to nonpublic
23information through the person’s provision of services to the
24licensee.
25 Sec. 4. NEW SECTION. 507F.4 Information security program.
261. a. Commensurate with the size and complexity of a
27licensee, the nature and scope of a licensee’s activities
28including the licensee’s use of third-party service providers,
29and the sensitivity of nonpublic information used by the
30licensee or that is in the licensee’s possession, custody, or
31control, the licensee shall develop, implement, and maintain a
32comprehensive written information security program based on the
33licensee’s risk assessment conducted pursuant to subsection 3.
34b. This section shall not apply to any of the following:
35(1) A licensee that meets any of the following criteria:
-4- 1(a) Has fewer than ten individuals on its workforce,
2including employees and independent contractors.
3(b) Has less than five million dollars in gross annual
4revenue.
5(c) Has less than ten million dollars in year-end total
6assets.
7(2) An employee, agent, representative, or designee of a
8licensee, and the employee, agent, representative, or designee
9is also a licensee, if the employee, agent, representative, or
10designee is covered by the information security program of the
11other licensee.
12c. A licensee shall have one hundred eighty calendar days
13from the date the licensee no longer qualifies for exemption
14under paragraph “b” to comply with this section.
152. A licensee’s information security program must be
16designed to do all of the following:
17a. Protect the security and confidentiality of nonpublic
18information and the security of the licensee’s information
19system.
20b. Protect against threats or hazards to the security
21or integrity of nonpublic information and the licensee’s
22information system.
23c. Protect against unauthorized access to or the use of
24nonpublic information, and minimize the likelihood of harm to
25any consumer.
26d. Define and periodically reevaluate a schedule for
27retention of nonpublic information and a mechanism for the
28destruction of nonpublic information if retention is no longer
29necessary for the licensee’s business operations, or is no
30longer required by applicable law.
313. A licensee shall conduct a risk assessment that
32accomplishes all of the following:
33a. Designates one or more employees, an affiliate, or an
34outside vendor to act on behalf of the licensee and that has
35responsibility for the information security program.
-5- 1b. Identifies reasonably foreseeable internal or external
2threats that may result in unauthorized access, transmission,
3disclosure, misuse, alteration, or destruction of nonpublic
4information, including nonpublic information that is accessible
5to, or held by, a third-party service provider.
6c. Assesses the probability of, and the potential damage
7caused by, the threats identified in paragraph “b”, taking into
8consideration the sensitivity of nonpublic information.
9d. Assesses the sufficiency of policies, procedures,
10information systems, and other safeguards in place to manage
11the threats identified in paragraph “b”. This assessment must
12include consideration of threats identified in each relevant
13area of the licensee’s operations, including all of the
14following:
15(1) Employee training and management.
16(2) Information systems, including network and software
17design; and information classification, governance, processing,
18storage, transmission, and disposal.
19(3) Detection, prevention, and response to an attack,
20intrusion, or other system failure.
21e. Implements information safeguards to manage threats
22identified in the licensee’s ongoing risk assessments and, at
23least annually, assesses the effectiveness of the information
24safeguards’ key controls, systems, and procedures.
254. Based on the risk assessment conducted pursuant to
26subsection 3, a licensee shall do all of the following:
27a. Develop, implement, and maintain an information security
28program as described in subsections 1 and 2.
29b. Determine which of the following security measures are
30appropriate and implement each appropriate security measure:
31(1) Place access controls on information systems, including
32controls to authenticate and permit access only to authorized
33individuals to protect against the unauthorized acquisition of
34nonpublic information.
35(2) Identify and manage the data, personnel, devices,
-6-1systems, and facilities that enable the licensee to achieve
2its business purposes in accordance with the data, personnel,
3devices, systems, and facilities relative importance to the
4licensee’s business objectives and risk strategy.
5(3) Restrict access of nonpublic information stored in or at
6physical locations to authorized individuals only.
7(4) Protect by encryption or other appropriate means,
8all nonpublic information while the nonpublic information
9is transmitted over an external network, and all nonpublic
10information that is stored on a laptop computer, a portable
11computing or storage device, or portable computing or storage
12media.
13(5) Adopt secure development practices for in-house
14developed applications utilized by the licensee, and procedures
15for evaluating, assessing, and testing the security of
16externally developed applications utilized by the licensee.
17(6) Modify information systems in accordance with the
18licensee’s information security program.
19(7) Utilize effective controls, which may include
20multi-factor authentication procedures for authorized
21individuals accessing nonpublic information.
22(8) Regularly test and monitor systems and procedures to
23detect actual and attempted attacks on, or intrusions into,
24information systems.
25(9) Include audit trails within the information security
26program designed to detect and respond to cybersecurity events,
27and designed to reconstruct material financial transactions
28sufficient to support the normal business operations and
29obligations of the licensee.
30(10) Implement measures to protect against the destruction,
31loss, or damage of nonpublic information due to environmental
32hazards, natural disasters, catastrophes, or technological
33failures.
34(11) Develop, implement, and maintain procedures for the
35secure disposal of nonpublic information that is contained in
-7-1any format.
2c. Include cybersecurity risks in the licensee’s
3enterprise-wide risk management process.
4d. Maintain knowledge and understanding of emerging threats
5or vulnerabilities and utilize reasonable security measures,
6relative to the character of the sharing and the type of
7information being shared, when sharing information.
8e. Provide the licensee’s personnel with cybersecurity
9awareness training that is updated as necessary to reflect
10risks identified by the licensee’s risk assessment.
115. a. If a licensee has a board of directors, the board
12or an appropriate committee of the board shall at a minimum
13require the licensee’s executive management or the executive
14management’s delegates to:
15(1) Develop, implement, and maintain the licensee’s
16information security program.
17(2) Provide a written report to the board, at least
18annually, that documents all of the following:
19(a) The overall status of the licensee’s information
20security program and the licensee’s compliance with this
21chapter.
22(b) Material matters related to the licensee’s information
23security program including issues such as risk assessment; risk
24management and control decisions; third-party service provider
25arrangements; results of testing, cybersecurity events, or
26violations; management’s response to cybersecurity events or
27violations; and recommendations for changes in the licensee’s
28information security program.
29b. If a licensee’s executive management delegates any of its
30responsibilities under this section the executive management
31shall oversee the delegate’s development, implementation, and
32maintenance of the licensee’s information security program, and
33shall require the delegate to submit an annual written report
34to executive management that contains the information required
35under paragraph “a”, subparagraph (2). If the licensee has a
-8-1board of directors, the executive management shall provide a
2copy of the report to the board.
36. A licensee shall monitor, evaluate, and adjust the
4licensee’s information security program consistent with
5relevant changes in technology, the sensitivity of the
6licensee’s nonpublic information, changes to the licensee’s
7information systems, internal or external threats to the
8licensee’s nonpublic information, and the licensee’s changing
9business arrangements, including but not limited to mergers and
10acquisitions, alliances and joint ventures, and outsourcing
11arrangements.
127. As part of a licensee’s information security program,
13a licensee shall establish a written incident response
14plan designed to promptly respond to, and recover from, a
15cybersecurity event that compromises the confidentiality,
16integrity, or availability of nonpublic information in the
17licensee’s possession, the licensee’s information systems, or
18the continuing functionality of any aspect of the licensee’s
19operations. The written incident response plan must address
20all of the following:
21a. The licensee’s internal process for responding to a
22cybersecurity event.
23b. The goals of the licensee’s incident response plan.
24c. The assignment of clear roles, responsibilities,
25and levels of decision-making authority for the licensee’s
26personnel that participate in the incident response plan.
27d. External communications, internal communications, and
28information sharing related to a cybersecurity event.
29e. The identification of remediation requirements for
30weaknesses identified in information systems and associated
31controls.
32f. Documentation and reporting regarding cybersecurity
33events and related incident response activities.
34g. The evaluation and revision of the incident response
35plan, as appropriate, following a cybersecurity event.
-9- 18. An insurer domiciled in this state shall annually
2submit to the commissioner on or before April 15 a written
3certification that the insurer is in compliance with this
4section. Each insurer shall maintain all records, schedules,
5documentation, and data supporting the insurer’s certification
6for five years. To the extent an insurer has identified an
7area, system, or process that requires material improvement,
8updating, or redesign, the insurer shall document the process
9used to identify the area, system, or process, and the
10remediation that has been implemented, or will be implemented,
11to address the area, system, or process. All records,
12schedules, documentation, and data described in this subsection
13shall be made available for inspection by the commissioner,
14or the commissioner’s representative, upon request of the
15commissioner.
169. Licensees shall comply with this section no later than
17January 1, 2023.
18 Sec. 5. NEW SECTION. 507F.5 Third-party service provider
19arrangements.
201. A licensee shall exercise due diligence in the selection
21of third-party service providers, conduct oversight of
22all third-party service provider arrangements, and require
23all third-party service providers to implement appropriate
24administrative, technical, and physical measures to protect
25and secure the information systems and nonpublic information
26that are accessible to, or held by, the licensee’s third-party
27service providers.
282. Licensees shall comply with this section no later than
29January 1, 2024.
30 Sec. 6. NEW SECTION. 507F.6 Cybersecurity event —
31investigation.
321. If a licensee discovers that a cybersecurity event has
33occurred, or that a cybersecurity event may have occurred, the
34licensee, or the outside vendor or third-party service provider
35the licensee has designated to act on behalf of the licensee,
-10-1shall conduct a prompt investigation of the event.
22. During the investigation, the licensee, outside vendor,
3or third-party service provider the licensee has designated to
4act on behalf of the licensee, shall, at a minimum, determine
5as much of the following as possible:
6a. Confirm that a cybersecurity event has occurred.
7b. Assess the nature and scope of the cybersecurity event.
8c. Identify all nonpublic information that may have been
9compromised by the cybersecurity event.
10d. Perform or oversee reasonable measures to restore the
11security of any compromised information systems in order to
12prevent further unauthorized acquisition, release, or use of
13nonpublic information that is in the licensee’s possession,
14custody, or control.
153. If a licensee learns that a cybersecurity event has
16occurred, or may have occurred, in an information system
17maintained by a third-party service provider of the licensee,
18the licensee shall complete an investigation in compliance with
19this section, or confirm and document that the third-party
20service provider has completed an investigation in compliance
21with this section.
224. A licensee shall maintain all records and documentation
23related to the licensee’s investigation of a cybersecurity
24event for a minimum of five years from the date of the event,
25and shall produce the records and documentation upon demand of
26the commissioner.
27 Sec. 7. NEW SECTION. 507F.7 Cybersecurity event —
28notification and report to the commissioner.
291. A licensee shall notify the commissioner no later
30than three business days from the date of the licensee’s
31confirmation of a cybersecurity event if any of the following
32conditions apply:
33a. The licensee is an insurer who is domiciled in this
34state, or is a producer whose home state is this state, and any
35of the following apply:
-11- 1(1) State or federal law requires that notice of the
2cybersecurity event be given by the licensee to a government
3body, self-regulatory agency, or other supervisory body.
4(2) The cybersecurity event has a reasonable likelihood
5of causing material harm to a material part of the normal
6business, operations, or security of the licensee.
7b. The licensee reasonably believes that nonpublic
8information compromised by the cybersecurity event involves two
9hundred fifty or more consumers and either of the following
10apply:
11(1) State or federal law requires that notice of the
12cybersecurity event be given by the licensee to a government
13body, self-regulatory agency, or other supervisory body.
14(2) The cybersecurity event has a reasonable likelihood of
15causing material harm to a consumer, or to a material part of
16the normal business, operations, or security of the licensee.
172. A licensee’s notification to the commissioner pursuant
18to subsection 1 shall provide, in the form and manner
19prescribed by the commissioner by rule, as much of the
20following information as is available to the licensee at the
21time of the notification:
22a. The date and time of the cybersecurity event.
23b. A description of how nonpublic information was exposed,
24lost, stolen, or breached, including the specific roles
25and responsibilities of the licensee’s third-party service
26providers, if any.
27c. How the licensee discovered or became aware of the
28cybersecurity event.
29d. If any lost, stolen, or breached nonpublic information
30has been recovered and if so, how the recovery occurred.
31e. The identity of the source of the cybersecurity event.
32f. The identity of any regulatory, governmental, or law
33enforcement agencies the licensee has notified, and the date
34and time of each notification.
35g. A description of the specific types of nonpublic
-12-1information that were lost, stolen, or breached.
2h. The total number of consumers affected by the
3cybersecurity event. The licensee shall provide the best
4estimate of affected consumers in the licensee’s initial report
5to the commissioner and shall update the estimate in each
6subsequent report to the commissioner under subsection 3.
7i. The results of any internal review conducted by the
8licensee that identified a lapse in the licensee’s automated
9controls or internal procedures, or that confirmed the
10licensee’s compliance with all automated controls or internal
11procedures.
12j. A description of the licensee’s efforts to remediate the
13circumstances that allowed the cybersecurity event.
14k. A copy of the licensee’s privacy policy.
15l. A statement outlining the steps the licensee is taking
16to identify and notify consumers affected by the cybersecurity
17event.
18m. The contact information for the individual authorized
19to act on behalf of the licensee and who is also knowledgeable
20regarding the cybersecurity event.
213. A licensee shall have a continuing obligation to update
22and supplement the licensee’s initial notification to the
23commissioner as material changes to information previously
24provided to the commissioner occur.
25 Sec. 8. NEW SECTION. 507F.8 Cybersecurity event —
26notification to consumers.
271. In the event of a cybersecurity event involving nonpublic
28information, consumer notification shall be made by the
29licensee in the most expeditious manner possible and without
30unreasonable delay consistent with the legitimate needs of law
31enforcement as provided in subsection 2, and consistent with
32any measures necessary for the licensee to identify contact
33information for the affected consumers, determine the scope
34of the cybersecurity event, and to restore the integrity,
35security, and confidentiality of the licensee’s information
-13-1system.
22. The consumer notification requirements under this
3section may be delayed if a law enforcement agency determines
4that consumer notification may impede a criminal investigation
5and the agency has made a written request to the licensee to
6delay the notification. The consumer notification required by
7this section shall be made after the law enforcement agency
8determines that the notification will not compromise the
9investigation and provides written notice to the licensee that
10consumer notification can proceed.
113. a. For purposes of this section, notification to an
12affected consumer shall be provided by one of the following
13methods:
14(1) Written notice to the consumer’s last known address that
15the licensee has in the licensee’s records.
16(2) If the licensee’s customary method of communication
17with an affected consumer is by electronic means, or is
18consistent with the applicable provisions regarding electronic
19records and signatures set forth in chapter 554D and the
20federal Electronic Signatures in Global and National Commerce
21Act, 15 U.S.C. §7001, the notice may be delivered by electronic
22means.
23b. If a licensee demonstrates to the satisfaction of the
24commissioner that the cost of providing notice to affected
25consumers will exceed two hundred fifty thousand dollars, or
26that the class of affected consumers exceeds three hundred
27fifty thousand persons, or that the licensee does not have
28sufficient contact information for an affected consumer to
29provide notice, substitute notice may be used and must consist
30of the following:
31(1) Notice shall be delivered by electronic means if
32the licensee has an electronic mail address for an affected
33consumer in the licensee’s records.
34(2) Conspicuous posting of the notice, or a link to the
35notice, on the internet site of the licensee if the licensee
-14-1maintains an internet site.
2(3) Notification via major statewide media and local media
3in all counties in which an affected consumer resides.
4c. If a licensee is required to provide notice of a
5cybersecurity event to the commissioner pursuant to section
6507F.7, subsection 1, the licensee shall submit to the
7commissioner a copy of all consumer notices provided by the
8licensee to affected consumers under this section.
94. Consumer notice pursuant to this section shall include,
10at a minimum, all of the following:
11a. A description of the cybersecurity event.
12b. The approximate date and time of the cybersecurity event.
13c. The type of nonpublic information involved in the
14cybersecurity event.
15d. The current telephone number, internet site, and mailing
16address of the three largest nationwide consumer reporting
17agencies.
18e. Advice to the consumer to report suspected incidents of
19identity theft related to the cybersecurity event to local law
20enforcement or the attorney general.
215. Notwithstanding subsection 1, notification is not
22required if after an investigation pursuant to section 507F.6,
23or after consultation with appropriate federal, state, or local
24law enforcement agencies, a licensee determines that there is
25no reasonable likelihood of financial harm to consumers whose
26nonpublic information is affected by a cybersecurity event.
27Such determination must be documented by the licensee in
28writing, maintained for a minimum of five years from the date
29of the determination, and made available to the commissioner
30for inspection upon request of the commissioner.
316. A licensee that was subject to a cybersecurity event
32requiring notification to more than five hundred consumers
33pursuant to this section shall give written notice of the event
34to the director of the consumer protection division of the
35office of the attorney general within five business days of
-15-1the date the first notice is provided to an affected consumer
2pursuant to this section.
3 Sec. 9. NEW SECTION. 507F.9 Cybersecurity event —
4third-party service providers.
51. If a licensee becomes aware of a cybersecurity
6event in an information system maintained by a third-party
7service provider of the licensee, the licensee shall comply
8with section 507F.7, or the licensee may obtain a written
9certification from the third-party service provider that
10the provider is in compliance with section 507F.7. If the
11third-party provider fails to provide written certification to
12the licensee, the licensee shall comply with section 507F.7.
13The computation of the licensee’s deadlines pursuant to section
14507F.7 shall begin on the business day after the date on
15which the licensee’s third-party service provider notifies
16the licensee of a cybersecurity event, or the date on which
17the licensee has actual knowledge of the cybersecurity event,
18whichever date is earlier.
192. This section shall not be construed to prohibit or
20abrogate an agreement between a licensee and another licensee,
21a third-party service provider, or any other party for the
22other licensee, third-party service provider, or other party to
23execute the requirements under section 507F.6 or section 507F.7
24on behalf of the licensee.
25 Sec. 10. NEW SECTION. 507F.10 Cybersecurity event
26reinsurers.
271. If a cybersecurity event involves nonpublic information
28used by, or that is in the possession, custody, or control
29of, a licensee that is acting as an assuming insurer and that
30does not have a direct contractual relationship with consumers
31affected by the cybersecurity event, the assuming insurer
32shall notify each of the assuming insurer’s affected ceding
33insurers and the commissioner of the assuming insurer’s state
34of domicile within three business days of determining that a
35cybersecurity event has occurred. A ceding insurer that has
-16-1a direct contractual relationship with a consumer affected by
2the cybersecurity event shall comply with section 507F.8 and
3the applicable provisions of section 715C.2, and all other
4applicable notification requirements pursuant to federal or
5state law.
62. If a cybersecurity event involves nonpublic information
7that is in the possession, custody, or control of a third-party
8service provider of a licensee that is acting as an assuming
9insurer, the assuming insurer shall notify each of the assuming
10insurer’s affected ceding insurers and the commissioner of the
11assuming insurer’s state of domicile within three business
12days of the date the assuming insurer receives notice from
13the assuming insurer’s third-party service provider that
14a cybersecurity event involving nonpublic information has
15occurred. A ceding insurer that has a direct contractual
16relationship with a consumer affected by the cybersecurity
17event shall comply with section 507F.8 and the applicable
18provisions of section 715C.2, and all other applicable
19notification requirements pursuant to federal or state law.
203. Notwithstanding any law to the contrary, a licensee
21acting as an assuming insurer shall have no other notice
22obligations related to a cybersecurity event or other data
23breach than the notice requirements pursuant to subsections 1
24and 2.
25 Sec. 11. NEW SECTION. 507F.11 Cybersecurity event —
26producers of record.
27If a cybersecurity event involves nonpublic information
28that is in the possession, custody, or control of a licensee
29that is an insurer, or in the possession, custody, or control
30of the insurer’s third-party service provider, and for
31which a consumer accessed the insurer’s services through an
32independent insurance producer, the insurer shall notify the
33insurance producer of record of each consumer affected by the
34cybersecurity event no later than the date on which notice is
35provided to affected consumers pursuant to section 507F.7. An
-17-1insurer shall not be required to notify an insurance producer
2that is not authorized by law or contract to sell, solicit, or
3negotiate on behalf of the insurer, or in a circumstance in
4which the insurer does not have current contact information for
5the producer of record for a specific affected consumer.
6 Sec. 12. NEW SECTION. 507F.12 Confidentiality.
71. Documents, materials, and other information in the
8control or possession of the commissioner that are furnished
9by a licensee, or by an employee or agent of the licensee
10acting on behalf of the licensee, or that are obtained by
11the commissioner in an investigation or examination, shall
12be confidential by law and privileged, shall not constitute
13a public record under chapter 22, shall not be subject to
14subpoena or discovery, and shall not be admissible as evidence
15in a private civil action. The commissioner, however, shall
16be authorized to use the documents, materials, and other
17information in the furtherance of a regulatory or legal action
18brought as part of the commissioner’s official duties. The
19commissioner shall not otherwise make the documents, materials,
20and other information public without the prior written consent
21of the licensee.
222. The commissioner, or an individual who receives
23documents, materials, or other information under the authority
24of the commissioner, shall not be permitted or required to
25testify in a private civil action concerning any documents,
26materials, or other information subject to subsection 1.
273. In order to assist in the performance of the
28commissioner’s duties under this chapter, the commissioner may:
29a. Share documents, materials, and other information,
30including documents, materials, and other information subject
31to subsection 1, with state, federal, and international
32regulatory agencies; the national association of insurance
33commissioners, its affiliates and subsidiaries; and with
34state, federal, and international law enforcement authorities,
35provided that the recipient certifies in writing that the
-18-1recipient will maintain the confidentiality or privileged
2status of any documents, materials, or other information to
3which confidentiality or privileged status applies.
4b. Receive documents, materials, and other information,
5including confidential and privileged documents, materials,
6and other information from the national association of
7insurance commissioners, its affiliates and subsidiaries;
8and regulatory and law enforcement officials of foreign and
9domestic jurisdictions. The commissioner shall maintain as
10confidential or privileged any document, material, or other
11information received by the commissioner that is confidential
12or privileged, or that is received with notice or the
13understanding that it is confidential or privileged, under the
14laws of the jurisdiction that is the source of the document,
15material, or other information.
16c. Share documents, materials, or other information subject
17to subsection 1 with a third-party consultant or vendor
18provided that the third-party consultant or vendor certifies
19in writing that the consultant or vendor will maintain the
20confidentiality and privileged status of the document,
21material, or other information.
22d. Enter into an agreement governing the sharing and use of
23documents, materials, or other information that is consistent
24with this subsection.
254. No waiver of an applicable privilege or claim of
26confidentiality in a document, material, or other information
27shall occur as a result of disclosure of the document,
28material, or other information to the commissioner under
29this chapter, or as a result of the sharing of the document,
30material, or other information as authorized under this
31section.
325. This chapter shall not prohibit the commissioner from
33releasing final, adjudicated actions that are open to public
34inspection pursuant to chapter 22, to a database or other
35clearinghouse service maintained by the national association of
-19-1insurance commissioners, or its affiliates and subsidiaries.
26. Documents, materials, and other information received
3by the commissioner under this chapter and shared pursuant to
4subsection 3, shall be confidential by law and privileged,
5shall not constitute a public record under chapter 22, shall
6not be subject to subpoena or discovery, and shall not be
7admissible as evidence in a private civil action.
87. Ownership of documents, materials, and other information
9shared under this chapter with the national association of
10insurance commissioners, its affiliates and subsidiaries,
11or a third-party consultant or vendor, remains with the
12commissioner, and use of the documents, materials, and
13other information by the national association of insurance
14commissioners, its affiliates and subsidiaries, or a
15third-party consultant or vendor is subject to the direction of
16the commissioner.
17 Sec. 13. NEW SECTION. 507F.13 Applicability.
181. This chapter shall not apply to a licensee that is
19subject to, and in compliance with, the Health Insurance
20Portability and Accountability Act. The licensee shall
21annually submit to the commissioner a written certification of
22the licensee’s compliance with HIPAA.
232. A licensee shall have one hundred eighty days from the
24date the licensee no longer qualifies for exemption under
25subsection 1 to comply with this chapter.
26 Sec. 14. NEW SECTION. 507F.14 Penalties.
27A licensee that violates this chapter shall be subject to
28penalties pursuant to section 505.7A and chapter 507B.
29 Sec. 15. NEW SECTION. 507F.15 Rules and enforcement.
301. The commissioner may adopt rules pursuant to chapter 17A
31as necessary to administer this chapter.
322. The commissioner may take any enforcement action under
33the commissioner’s authority to enforce compliance with this
34chapter.
35 Sec. 16. NEW SECTION. 507F.16 Severability.
-20- 1If any provision of this chapter or its application to any
2person or circumstance is held invalid, the invalidity shall
3not affect other provisions or applications of this chapter
4which can be given effect without the invalid provision or
5application, and to this end the provisions of this chapter are
6severable.
7 Sec. 17. NEW SECTION. 507F.17 Effective date.
8This chapter takes effect January 1, 2022.
9EXPLANATION
10The inclusion of this explanation does not constitute agreement with
11the explanation’s substance by the members of the general assembly.
12This bill relates to the exclusive state standards for data
13security, and investigations and notifications of cybersecurity
14events, for certain licensees under the jurisdiction of the
15commissioner of insurance. The bill is based on the national
16association of insurance commissioners’ (NAIC) insurance data
17security model law.
18“Licensee” is defined in the bill as a person licensed,
19authorized to operate, or registered, or required to be
20licensed, authorized to operate, or registered pursuant to the
21insurance laws of this state. “Licensee” does not include
22a purchasing group or a risk retention group chartered and
23licensed in a state other than this state, or a person acting
24as an assuming insurer that is domiciled in another state or
25jurisdiction. The bill does not create or imply a private
26cause of action for a violation of its provisions, and does not
27curtail a private cause of action that would otherwise exist in
28the absence of the bill.
29The bill requires licensees to develop, implement, and
30maintain a comprehensive written information security program
31(program) based on the licensee’s risk assessment (assessment)
32conducted pursuant to the bill. Licensees must comply with
33the program requirements no later than January 1, 2023. The
34program must safeguard the licensee’s nonpublic information
35and information system. “Information system” is defined in
-21-1the bill as a discrete set of electronic information resources
2organized for the collection, processing, maintenance,
3use, sharing, dissemination, or disposition of electronic
4information, and any specialized system such as an industrial
5or process controls system, a telephone switching and private
6branch exchange system, or an environmental control system.
7“Nonpublic information” is also defined in the bill. Certain
8licensees and other persons are exempt from the program
9requirement as detailed in the bill. The bill requires a
10licensee’s program to protect the security and confidentiality
11of nonpublic information and the security of the information
12system, to protect against threats or hazards to the security
13or integrity of nonpublic information and the information
14system, to protect against unauthorized access to or the use of
15nonpublic information, to minimize the likelihood of harm to
16consumers, and to define and periodically reevaluate a schedule
17for the retention and destruction of nonpublic information.
18A licensee’s assessment must designate one or more
19employees, an affiliate, or an outside vendor to act on
20behalf of the licensee and to have responsibility for the
21program; identify reasonably foreseeable internal or external
22threats that may result in unauthorized access, transmission,
23disclosure, misuse, alteration, or destruction of nonpublic
24information, including nonpublic information that is accessible
25to, or held by, a third-party service provider; assess the
26probability of and the potential damage caused by identified
27threats; and assess the sufficiency of policies, procedures,
28information systems, and other safeguards in place to manage
29identified threats. The assessment must include consideration
30of threats identified in each relevant area of the licensee’s
31operations.
32Based on a licensee’s assessment, the bill requires
33the licensee to design the program to mitigate identified
34risks, to determine and implement appropriate security
35measures, to include cybersecurity risks in the licensee’s
-22-1enterprise-wide risk management process, to maintain knowledge
2and understanding of emerging threats or vulnerabilities, to
3utilize reasonable security measures when sharing information,
4and to provide the licensee’s personnel with cybersecurity
5awareness training.
6If a licensee has a board of directors, the bill directs
7the board to require the licensee’s executive management
8or its delegates to develop, implement, and maintain the
9licensee’s program, and to provide an annual report to the
10board that documents the information specified in the bill.
11If a licensee’s executive management delegates any of its
12responsibilities, it must oversee the delegate’s development,
13implementation, and maintenance of the licensee’s program.
14As part of a licensee’s program, the bill requires the
15licensee to establish a written incident response plan (plan)
16designed to respond to, and recover from, a cybersecurity
17event that compromises the confidentiality, integrity, or
18availability of nonpublic information in the licensee’s
19possession or information systems; or that compromises
20the continuing functionality of the licensee’s operations.
21The plan must address all criteria specified in the bill.
22“Cybersecurity event” is defined in the bill as an event
23resulting in unauthorized access to, or the disruption or
24misuse of, an information system or of nonpublic information
25stored on an information system. “Cybersecurity event” does
26not include the unauthorized acquisition of encrypted nonpublic
27information if the encryption, process, or key is not also
28acquired, released, or used without authorization; or an
29event for which a licensee has determined that the nonpublic
30information accessed by an unauthorized person has not been
31used or released, and the nonpublic information has been
32returned or destroyed. Insurers domiciled in this state must
33submit an annual certification to the commissioner that the
34insurer is in compliance with the plan requirements.
35The bill requires a licensee to exercise due diligence in
-23-1the selection of a third-party service provider (provider),
2to conduct oversight of all provider arrangements, and to
3require all providers to implement appropriate administrative,
4technical, and physical measures to protect and secure
5the information systems and nonpublic information that are
6accessible to, or held by, the provider. Licensees must
7comply with these requirements no later than January 1, 2024.
8“Third-party service provider” is defined in the bill as a
9person that is not a licensee that contracts with a licensee
10to maintain, process, store, or is otherwise permitted access
11to nonpublic information through the person’s provision of
12services to the licensee.
13If a licensee discovers that a cybersecurity event has
14occurred, or that a cybersecurity event may have occurred,
15the licensee, or the outside vendor or provider the licensee
16has designated to act on behalf of the licensee, must conduct
17a prompt investigation of the event as detailed in the bill.
18If a licensee learns that a cybersecurity event has occurred,
19or may have occurred, in an information system maintained by
20a provider of the licensee, the licensee must complete the
21same type of investigation, or confirm and document that the
22provider has completed such an investigation. A licensee
23must maintain all records and documentation related to the
24licensee’s investigation for a minimum of five years from the
25date of the cybersecurity event.
26A licensee is required to notify the commissioner no later
27than three business days from the date of the licensee’s
28confirmation of a cybersecurity event if the licensee is an
29insurer who is domiciled in this state, or is a producer whose
30home state is this state, and state or federal law requires
31notice to a government body, self-regulatory agency, or other
32supervisory body. A licensee must also notify the commissioner
33if the cybersecurity event has a reasonable likelihood of
34causing material harm to a consumer, or to a material part of
35the normal business, operations, or security of the licensee;
-24-1or the licensee reasonably believes that nonpublic information
2compromised by the cybersecurity event involves 250 or more
3consumers and state or federal law requires notice to a
4government body, self-regulatory agency, or other supervisory
5body. The licensee must provide the commissioner with
6the information specified in the bill and has a continuing
7obligation to update and supplement the information as material
8changes to the information occur.
9In the event of a cybersecurity event involving nonpublic
10information, the licensee must notify consumers as detailed
11in the bill. A licensee that has to provide notification to
12more than 500 consumers must also give written notice to the
13director of the consumer protection division of the office of
14the attorney general within five business days of the date
15the first notice of the cybersecurity event is provided to an
16affected consumer. The bill also details the requirements
17for cybersecurity event notifications related to providers,
18reinsurers, and producers of record.
19The bill details confidentiality and privilege as applied
20to documents, materials, or other information furnished by a
21licensee, or that are obtained by the commissioner pursuant to
22an investigation or examination, and that are in the control
23or possession of the commissioner. The bill details which
24documents, materials, or other information do not constitute
25a public record under Code chapter 22; are not subject to
26subpoena and discovery; and are not admissible in a private
27civil action. The bill also describes how the documents,
28materials, and other information may be shared or used by the
29commissioner.
30The bill does not apply to a licensee that is subject to,
31and in compliance with, the Health Insurance Portability and
32Accountability Act of 1996 (HIPAA). The licensee must submit
33an annual written certification to the commissioner of the
34licensee’s compliance with HIPAA.
35A licensee that violates the bill shall be subject to
-25-1penalties pursuant to Code section 505.7A and Code chapter
2507B.
3The commissioner may adopt rules to administer the bill
4and may take any enforcement action under the commissioner’s
5authority to enforce compliance with the bill.
6If any provision of the bill, or its application to any
7person or circumstance is held invalid, the invalidity does not
8affect other provisions or applications of the bill which can
9be given effect without the invalid provision or application.
10The bill takes effect January 1, 2022.
-26-ko/rn
2investigations and notifications of cybersecurity events,
3for certain licensees under the jurisdiction of the
4commissioner of insurance, making penalties applicable, and
5including effective date provisions.
6BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 507F.1 Title.
2This chapter may be cited as the “Insurance Data Security
3Act”.
4 Sec. 2. NEW SECTION. 507F.2 Purpose and scope.
51. Notwithstanding any provision of law to the contrary,
6this chapter establishes the exclusive state standards for
7data security, and the investigation and notification of
8cybersecurity events, applicable to licensees.
92. This chapter shall not be construed to create or imply
10a private cause of action for a violation of its provisions,
11and shall not be construed to curtail a private cause of action
12that otherwise exists in the absence of this chapter.
13 Sec. 3. NEW SECTION. 507F.3 Definitions.
14As used in this chapter, unless the context otherwise
15requires:
161. “Authorized individual” means an individual known to
17and screened by a licensee and determined to be necessary and
18appropriate to have access to nonpublic information held by the
19licensee and the licensee’s information system.
202. “Commissioner” means the commissioner of insurance.
213. “Consumer” means an individual, including but not limited
22to an applicant, policyholder, insured, beneficiary, claimant,
23or certificate holder, who is a resident of this state and
24whose nonpublic information is in a licensee’s possession,
25custody, or control.
264. “Cybersecurity event” means an event resulting in
27unauthorized access to, or the disruption or misuse of, an
28information system or of nonpublic information stored on an
29information system. “Cybersecurity event” does not include any
30of the following:
31a. The unauthorized acquisition of encrypted nonpublic
32information if the encryption, process, or key is not also
33acquired, released, or used without authorization.
34b. An event for which a licensee has determined that the
35nonpublic information accessed by an unauthorized person has
-1-1not been used or released, and the nonpublic information has
2been returned or destroyed.
35. “Delivered by electronic means” means delivery to an
4electronic mail address at which a consumer has consented to
5receive notices or documents.
66. “Encrypted” means the transformation of data into a form
7that results in a low probability of assigning meaning to the
8data without the use of a protective process or key.
97. “Health Insurance Portability and Accountability
10Act” or “HIPAA” means the Health Insurance Portability and
11Accountability Act of 1996, Pub.L. No.104-191, including
12amendments thereto and regulations promulgated thereunder.
138. “Home state” means the same as defined in section 522B.1.
149. “Information security program” means the administrative,
15technical, and physical safeguards that a licensee uses
16to access, collect, distribute, process, protect, store,
17use, transmit, dispose of, or otherwise handle nonpublic
18information.
1910. “Information system” means a discrete set of electronic
20information resources organized for the collection, processing,
21maintenance, use, sharing, dissemination, or disposition of
22electronic information, and any specialized system such as an
23industrial or process controls system, a telephone switching
24and private branch exchange system, or an environmental control
25system.
2611. “Insurer” means the same as defined in section 521A.1.
2712. “Licensee” means a person licensed, authorized to
28operate, or registered, or a person required to be licensed,
29authorized to operate, or registered pursuant to the insurance
30laws of this state. “Licensee” does not include a purchasing
31group or a risk retention group chartered and licensed in a
32state other than this state, or a person acting as an assuming
33insurer that is domiciled in another state or jurisdiction.
3413. “Multi-factor authentication” means authentication
35through verification of at least two of the following types of
-2-1authentication factors:
2a. A knowledge factor, such as a password.
3b. A possession factor, such as a token or text message on a
4mobile phone.
5c. An inherence factor, such as a biometric characteristic.
614. “Nonpublic information” means electronic information
7that is not publicly available information and that is any of
8the following:
9a. Business-related information of a licensee the tampering
10of which, or unauthorized disclosure, access, or use of
11which, will cause a material adverse impact to the business,
12operations, or security of the licensee.
13b. Information concerning a consumer which can be used to
14identify the consumer due to a name, number, personal mark, or
15other identifier, used in combination with any one or more of
16the following data elements:
17(1) A social security number.
18(2) A driver’s license number or a nondriver identification
19card number.
20(3) A financial account number, a credit card number, or a
21debit card number.
22(4) A security code, an access code, or a password that will
23permit access to a consumer’s financial accounts.
24(5) A biometric record.
25c. Information or data, except age or gender, in any form or
26medium created by or derived from a health care provider or a
27consumer, and that relates to any of the following:
28(1) The past, present, or future physical, mental or
29behavioral health or condition of a consumer, or a member of
30the consumer’s family.
31(2) The provision of health care services to a consumer.
32(3) Payment for the provision of health care services to a
33consumer.
3415. “Person” means an individual or a nongovernmental
35entity, including but not limited to a nongovernmental
-3-1partnership, corporation, branch, agency, or association.
216. “Publicly available information” means information
3that a licensee has a reasonable basis to believe is lawfully
4made available to the general public from federal, state, or
5local government records, by widely distributed media, or by
6disclosure to the general public as required by federal, state,
7or local law. For purposes of this definition, a licensee has
8a reasonable basis to believe that information is lawfully made
9available to the general public if the licensee has determined
10all of the following:
11a. That the information is of a type that is available to
12the general public.
13b. That if a consumer may direct that the information not
14be made available to the general public, that the consumer has
15not directed that the information not be made available to the
16general public.
1717. “Risk assessment” means the assessment that a licensee
18is required to conduct pursuant to section 507F.4, subsection
193.
2018. “Third-party service provider” means a person that is
21not a licensee that contracts with a licensee to maintain,
22process, store, or is otherwise permitted access to nonpublic
23information through the person’s provision of services to the
24licensee.
25 Sec. 4. NEW SECTION. 507F.4 Information security program.
261. a. Commensurate with the size and complexity of a
27licensee, the nature and scope of a licensee’s activities
28including the licensee’s use of third-party service providers,
29and the sensitivity of nonpublic information used by the
30licensee or that is in the licensee’s possession, custody, or
31control, the licensee shall develop, implement, and maintain a
32comprehensive written information security program based on the
33licensee’s risk assessment conducted pursuant to subsection 3.
34b. This section shall not apply to any of the following:
35(1) A licensee that meets any of the following criteria:
-4- 1(a) Has fewer than ten individuals on its workforce,
2including employees and independent contractors.
3(b) Has less than five million dollars in gross annual
4revenue.
5(c) Has less than ten million dollars in year-end total
6assets.
7(2) An employee, agent, representative, or designee of a
8licensee, and the employee, agent, representative, or designee
9is also a licensee, if the employee, agent, representative, or
10designee is covered by the information security program of the
11other licensee.
12c. A licensee shall have one hundred eighty calendar days
13from the date the licensee no longer qualifies for exemption
14under paragraph “b” to comply with this section.
152. A licensee’s information security program must be
16designed to do all of the following:
17a. Protect the security and confidentiality of nonpublic
18information and the security of the licensee’s information
19system.
20b. Protect against threats or hazards to the security
21or integrity of nonpublic information and the licensee’s
22information system.
23c. Protect against unauthorized access to or the use of
24nonpublic information, and minimize the likelihood of harm to
25any consumer.
26d. Define and periodically reevaluate a schedule for
27retention of nonpublic information and a mechanism for the
28destruction of nonpublic information if retention is no longer
29necessary for the licensee’s business operations, or is no
30longer required by applicable law.
313. A licensee shall conduct a risk assessment that
32accomplishes all of the following:
33a. Designates one or more employees, an affiliate, or an
34outside vendor to act on behalf of the licensee and that has
35responsibility for the information security program.
-5- 1b. Identifies reasonably foreseeable internal or external
2threats that may result in unauthorized access, transmission,
3disclosure, misuse, alteration, or destruction of nonpublic
4information, including nonpublic information that is accessible
5to, or held by, a third-party service provider.
6c. Assesses the probability of, and the potential damage
7caused by, the threats identified in paragraph “b”, taking into
8consideration the sensitivity of nonpublic information.
9d. Assesses the sufficiency of policies, procedures,
10information systems, and other safeguards in place to manage
11the threats identified in paragraph “b”. This assessment must
12include consideration of threats identified in each relevant
13area of the licensee’s operations, including all of the
14following:
15(1) Employee training and management.
16(2) Information systems, including network and software
17design; and information classification, governance, processing,
18storage, transmission, and disposal.
19(3) Detection, prevention, and response to an attack,
20intrusion, or other system failure.
21e. Implements information safeguards to manage threats
22identified in the licensee’s ongoing risk assessments and, at
23least annually, assesses the effectiveness of the information
24safeguards’ key controls, systems, and procedures.
254. Based on the risk assessment conducted pursuant to
26subsection 3, a licensee shall do all of the following:
27a. Develop, implement, and maintain an information security
28program as described in subsections 1 and 2.
29b. Determine which of the following security measures are
30appropriate and implement each appropriate security measure:
31(1) Place access controls on information systems, including
32controls to authenticate and permit access only to authorized
33individuals to protect against the unauthorized acquisition of
34nonpublic information.
35(2) Identify and manage the data, personnel, devices,
-6-1systems, and facilities that enable the licensee to achieve
2its business purposes in accordance with the data, personnel,
3devices, systems, and facilities relative importance to the
4licensee’s business objectives and risk strategy.
5(3) Restrict access of nonpublic information stored in or at
6physical locations to authorized individuals only.
7(4) Protect by encryption or other appropriate means,
8all nonpublic information while the nonpublic information
9is transmitted over an external network, and all nonpublic
10information that is stored on a laptop computer, a portable
11computing or storage device, or portable computing or storage
12media.
13(5) Adopt secure development practices for in-house
14developed applications utilized by the licensee, and procedures
15for evaluating, assessing, and testing the security of
16externally developed applications utilized by the licensee.
17(6) Modify information systems in accordance with the
18licensee’s information security program.
19(7) Utilize effective controls, which may include
20multi-factor authentication procedures for authorized
21individuals accessing nonpublic information.
22(8) Regularly test and monitor systems and procedures to
23detect actual and attempted attacks on, or intrusions into,
24information systems.
25(9) Include audit trails within the information security
26program designed to detect and respond to cybersecurity events,
27and designed to reconstruct material financial transactions
28sufficient to support the normal business operations and
29obligations of the licensee.
30(10) Implement measures to protect against the destruction,
31loss, or damage of nonpublic information due to environmental
32hazards, natural disasters, catastrophes, or technological
33failures.
34(11) Develop, implement, and maintain procedures for the
35secure disposal of nonpublic information that is contained in
-7-1any format.
2c. Include cybersecurity risks in the licensee’s
3enterprise-wide risk management process.
4d. Maintain knowledge and understanding of emerging threats
5or vulnerabilities and utilize reasonable security measures,
6relative to the character of the sharing and the type of
7information being shared, when sharing information.
8e. Provide the licensee’s personnel with cybersecurity
9awareness training that is updated as necessary to reflect
10risks identified by the licensee’s risk assessment.
115. a. If a licensee has a board of directors, the board
12or an appropriate committee of the board shall at a minimum
13require the licensee’s executive management or the executive
14management’s delegates to:
15(1) Develop, implement, and maintain the licensee’s
16information security program.
17(2) Provide a written report to the board, at least
18annually, that documents all of the following:
19(a) The overall status of the licensee’s information
20security program and the licensee’s compliance with this
21chapter.
22(b) Material matters related to the licensee’s information
23security program including issues such as risk assessment; risk
24management and control decisions; third-party service provider
25arrangements; results of testing, cybersecurity events, or
26violations; management’s response to cybersecurity events or
27violations; and recommendations for changes in the licensee’s
28information security program.
29b. If a licensee’s executive management delegates any of its
30responsibilities under this section the executive management
31shall oversee the delegate’s development, implementation, and
32maintenance of the licensee’s information security program, and
33shall require the delegate to submit an annual written report
34to executive management that contains the information required
35under paragraph “a”, subparagraph (2). If the licensee has a
-8-1board of directors, the executive management shall provide a
2copy of the report to the board.
36. A licensee shall monitor, evaluate, and adjust the
4licensee’s information security program consistent with
5relevant changes in technology, the sensitivity of the
6licensee’s nonpublic information, changes to the licensee’s
7information systems, internal or external threats to the
8licensee’s nonpublic information, and the licensee’s changing
9business arrangements, including but not limited to mergers and
10acquisitions, alliances and joint ventures, and outsourcing
11arrangements.
127. As part of a licensee’s information security program,
13a licensee shall establish a written incident response
14plan designed to promptly respond to, and recover from, a
15cybersecurity event that compromises the confidentiality,
16integrity, or availability of nonpublic information in the
17licensee’s possession, the licensee’s information systems, or
18the continuing functionality of any aspect of the licensee’s
19operations. The written incident response plan must address
20all of the following:
21a. The licensee’s internal process for responding to a
22cybersecurity event.
23b. The goals of the licensee’s incident response plan.
24c. The assignment of clear roles, responsibilities,
25and levels of decision-making authority for the licensee’s
26personnel that participate in the incident response plan.
27d. External communications, internal communications, and
28information sharing related to a cybersecurity event.
29e. The identification of remediation requirements for
30weaknesses identified in information systems and associated
31controls.
32f. Documentation and reporting regarding cybersecurity
33events and related incident response activities.
34g. The evaluation and revision of the incident response
35plan, as appropriate, following a cybersecurity event.
-9- 18. An insurer domiciled in this state shall annually
2submit to the commissioner on or before April 15 a written
3certification that the insurer is in compliance with this
4section. Each insurer shall maintain all records, schedules,
5documentation, and data supporting the insurer’s certification
6for five years. To the extent an insurer has identified an
7area, system, or process that requires material improvement,
8updating, or redesign, the insurer shall document the process
9used to identify the area, system, or process, and the
10remediation that has been implemented, or will be implemented,
11to address the area, system, or process. All records,
12schedules, documentation, and data described in this subsection
13shall be made available for inspection by the commissioner,
14or the commissioner’s representative, upon request of the
15commissioner.
169. Licensees shall comply with this section no later than
17January 1, 2023.
18 Sec. 5. NEW SECTION. 507F.5 Third-party service provider
19arrangements.
201. A licensee shall exercise due diligence in the selection
21of third-party service providers, conduct oversight of
22all third-party service provider arrangements, and require
23all third-party service providers to implement appropriate
24administrative, technical, and physical measures to protect
25and secure the information systems and nonpublic information
26that are accessible to, or held by, the licensee’s third-party
27service providers.
282. Licensees shall comply with this section no later than
29January 1, 2024.
30 Sec. 6. NEW SECTION. 507F.6 Cybersecurity event —
31investigation.
321. If a licensee discovers that a cybersecurity event has
33occurred, or that a cybersecurity event may have occurred, the
34licensee, or the outside vendor or third-party service provider
35the licensee has designated to act on behalf of the licensee,
-10-1shall conduct a prompt investigation of the event.
22. During the investigation, the licensee, outside vendor,
3or third-party service provider the licensee has designated to
4act on behalf of the licensee, shall, at a minimum, determine
5as much of the following as possible:
6a. Confirm that a cybersecurity event has occurred.
7b. Assess the nature and scope of the cybersecurity event.
8c. Identify all nonpublic information that may have been
9compromised by the cybersecurity event.
10d. Perform or oversee reasonable measures to restore the
11security of any compromised information systems in order to
12prevent further unauthorized acquisition, release, or use of
13nonpublic information that is in the licensee’s possession,
14custody, or control.
153. If a licensee learns that a cybersecurity event has
16occurred, or may have occurred, in an information system
17maintained by a third-party service provider of the licensee,
18the licensee shall complete an investigation in compliance with
19this section, or confirm and document that the third-party
20service provider has completed an investigation in compliance
21with this section.
224. A licensee shall maintain all records and documentation
23related to the licensee’s investigation of a cybersecurity
24event for a minimum of five years from the date of the event,
25and shall produce the records and documentation upon demand of
26the commissioner.
27 Sec. 7. NEW SECTION. 507F.7 Cybersecurity event —
28notification and report to the commissioner.
291. A licensee shall notify the commissioner no later
30than three business days from the date of the licensee’s
31confirmation of a cybersecurity event if any of the following
32conditions apply:
33a. The licensee is an insurer who is domiciled in this
34state, or is a producer whose home state is this state, and any
35of the following apply:
-11- 1(1) State or federal law requires that notice of the
2cybersecurity event be given by the licensee to a government
3body, self-regulatory agency, or other supervisory body.
4(2) The cybersecurity event has a reasonable likelihood
5of causing material harm to a material part of the normal
6business, operations, or security of the licensee.
7b. The licensee reasonably believes that nonpublic
8information compromised by the cybersecurity event involves two
9hundred fifty or more consumers and either of the following
10apply:
11(1) State or federal law requires that notice of the
12cybersecurity event be given by the licensee to a government
13body, self-regulatory agency, or other supervisory body.
14(2) The cybersecurity event has a reasonable likelihood of
15causing material harm to a consumer, or to a material part of
16the normal business, operations, or security of the licensee.
172. A licensee’s notification to the commissioner pursuant
18to subsection 1 shall provide, in the form and manner
19prescribed by the commissioner by rule, as much of the
20following information as is available to the licensee at the
21time of the notification:
22a. The date and time of the cybersecurity event.
23b. A description of how nonpublic information was exposed,
24lost, stolen, or breached, including the specific roles
25and responsibilities of the licensee’s third-party service
26providers, if any.
27c. How the licensee discovered or became aware of the
28cybersecurity event.
29d. If any lost, stolen, or breached nonpublic information
30has been recovered and if so, how the recovery occurred.
31e. The identity of the source of the cybersecurity event.
32f. The identity of any regulatory, governmental, or law
33enforcement agencies the licensee has notified, and the date
34and time of each notification.
35g. A description of the specific types of nonpublic
-12-1information that were lost, stolen, or breached.
2h. The total number of consumers affected by the
3cybersecurity event. The licensee shall provide the best
4estimate of affected consumers in the licensee’s initial report
5to the commissioner and shall update the estimate in each
6subsequent report to the commissioner under subsection 3.
7i. The results of any internal review conducted by the
8licensee that identified a lapse in the licensee’s automated
9controls or internal procedures, or that confirmed the
10licensee’s compliance with all automated controls or internal
11procedures.
12j. A description of the licensee’s efforts to remediate the
13circumstances that allowed the cybersecurity event.
14k. A copy of the licensee’s privacy policy.
15l. A statement outlining the steps the licensee is taking
16to identify and notify consumers affected by the cybersecurity
17event.
18m. The contact information for the individual authorized
19to act on behalf of the licensee and who is also knowledgeable
20regarding the cybersecurity event.
213. A licensee shall have a continuing obligation to update
22and supplement the licensee’s initial notification to the
23commissioner as material changes to information previously
24provided to the commissioner occur.
25 Sec. 8. NEW SECTION. 507F.8 Cybersecurity event —
26notification to consumers.
271. In the event of a cybersecurity event involving nonpublic
28information, consumer notification shall be made by the
29licensee in the most expeditious manner possible and without
30unreasonable delay consistent with the legitimate needs of law
31enforcement as provided in subsection 2, and consistent with
32any measures necessary for the licensee to identify contact
33information for the affected consumers, determine the scope
34of the cybersecurity event, and to restore the integrity,
35security, and confidentiality of the licensee’s information
-13-1system.
22. The consumer notification requirements under this
3section may be delayed if a law enforcement agency determines
4that consumer notification may impede a criminal investigation
5and the agency has made a written request to the licensee to
6delay the notification. The consumer notification required by
7this section shall be made after the law enforcement agency
8determines that the notification will not compromise the
9investigation and provides written notice to the licensee that
10consumer notification can proceed.
113. a. For purposes of this section, notification to an
12affected consumer shall be provided by one of the following
13methods:
14(1) Written notice to the consumer’s last known address that
15the licensee has in the licensee’s records.
16(2) If the licensee’s customary method of communication
17with an affected consumer is by electronic means, or is
18consistent with the applicable provisions regarding electronic
19records and signatures set forth in chapter 554D and the
20federal Electronic Signatures in Global and National Commerce
21Act, 15 U.S.C. §7001, the notice may be delivered by electronic
22means.
23b. If a licensee demonstrates to the satisfaction of the
24commissioner that the cost of providing notice to affected
25consumers will exceed two hundred fifty thousand dollars, or
26that the class of affected consumers exceeds three hundred
27fifty thousand persons, or that the licensee does not have
28sufficient contact information for an affected consumer to
29provide notice, substitute notice may be used and must consist
30of the following:
31(1) Notice shall be delivered by electronic means if
32the licensee has an electronic mail address for an affected
33consumer in the licensee’s records.
34(2) Conspicuous posting of the notice, or a link to the
35notice, on the internet site of the licensee if the licensee
-14-1maintains an internet site.
2(3) Notification via major statewide media and local media
3in all counties in which an affected consumer resides.
4c. If a licensee is required to provide notice of a
5cybersecurity event to the commissioner pursuant to section
6507F.7, subsection 1, the licensee shall submit to the
7commissioner a copy of all consumer notices provided by the
8licensee to affected consumers under this section.
94. Consumer notice pursuant to this section shall include,
10at a minimum, all of the following:
11a. A description of the cybersecurity event.
12b. The approximate date and time of the cybersecurity event.
13c. The type of nonpublic information involved in the
14cybersecurity event.
15d. The current telephone number, internet site, and mailing
16address of the three largest nationwide consumer reporting
17agencies.
18e. Advice to the consumer to report suspected incidents of
19identity theft related to the cybersecurity event to local law
20enforcement or the attorney general.
215. Notwithstanding subsection 1, notification is not
22required if after an investigation pursuant to section 507F.6,
23or after consultation with appropriate federal, state, or local
24law enforcement agencies, a licensee determines that there is
25no reasonable likelihood of financial harm to consumers whose
26nonpublic information is affected by a cybersecurity event.
27Such determination must be documented by the licensee in
28writing, maintained for a minimum of five years from the date
29of the determination, and made available to the commissioner
30for inspection upon request of the commissioner.
316. A licensee that was subject to a cybersecurity event
32requiring notification to more than five hundred consumers
33pursuant to this section shall give written notice of the event
34to the director of the consumer protection division of the
35office of the attorney general within five business days of
-15-1the date the first notice is provided to an affected consumer
2pursuant to this section.
3 Sec. 9. NEW SECTION. 507F.9 Cybersecurity event —
4third-party service providers.
51. If a licensee becomes aware of a cybersecurity
6event in an information system maintained by a third-party
7service provider of the licensee, the licensee shall comply
8with section 507F.7, or the licensee may obtain a written
9certification from the third-party service provider that
10the provider is in compliance with section 507F.7. If the
11third-party provider fails to provide written certification to
12the licensee, the licensee shall comply with section 507F.7.
13The computation of the licensee’s deadlines pursuant to section
14507F.7 shall begin on the business day after the date on
15which the licensee’s third-party service provider notifies
16the licensee of a cybersecurity event, or the date on which
17the licensee has actual knowledge of the cybersecurity event,
18whichever date is earlier.
192. This section shall not be construed to prohibit or
20abrogate an agreement between a licensee and another licensee,
21a third-party service provider, or any other party for the
22other licensee, third-party service provider, or other party to
23execute the requirements under section 507F.6 or section 507F.7
24on behalf of the licensee.
25 Sec. 10. NEW SECTION. 507F.10 Cybersecurity event
26reinsurers.
271. If a cybersecurity event involves nonpublic information
28used by, or that is in the possession, custody, or control
29of, a licensee that is acting as an assuming insurer and that
30does not have a direct contractual relationship with consumers
31affected by the cybersecurity event, the assuming insurer
32shall notify each of the assuming insurer’s affected ceding
33insurers and the commissioner of the assuming insurer’s state
34of domicile within three business days of determining that a
35cybersecurity event has occurred. A ceding insurer that has
-16-1a direct contractual relationship with a consumer affected by
2the cybersecurity event shall comply with section 507F.8 and
3the applicable provisions of section 715C.2, and all other
4applicable notification requirements pursuant to federal or
5state law.
62. If a cybersecurity event involves nonpublic information
7that is in the possession, custody, or control of a third-party
8service provider of a licensee that is acting as an assuming
9insurer, the assuming insurer shall notify each of the assuming
10insurer’s affected ceding insurers and the commissioner of the
11assuming insurer’s state of domicile within three business
12days of the date the assuming insurer receives notice from
13the assuming insurer’s third-party service provider that
14a cybersecurity event involving nonpublic information has
15occurred. A ceding insurer that has a direct contractual
16relationship with a consumer affected by the cybersecurity
17event shall comply with section 507F.8 and the applicable
18provisions of section 715C.2, and all other applicable
19notification requirements pursuant to federal or state law.
203. Notwithstanding any law to the contrary, a licensee
21acting as an assuming insurer shall have no other notice
22obligations related to a cybersecurity event or other data
23breach than the notice requirements pursuant to subsections 1
24and 2.
25 Sec. 11. NEW SECTION. 507F.11 Cybersecurity event —
26producers of record.
27If a cybersecurity event involves nonpublic information
28that is in the possession, custody, or control of a licensee
29that is an insurer, or in the possession, custody, or control
30of the insurer’s third-party service provider, and for
31which a consumer accessed the insurer’s services through an
32independent insurance producer, the insurer shall notify the
33insurance producer of record of each consumer affected by the
34cybersecurity event no later than the date on which notice is
35provided to affected consumers pursuant to section 507F.7. An
-17-1insurer shall not be required to notify an insurance producer
2that is not authorized by law or contract to sell, solicit, or
3negotiate on behalf of the insurer, or in a circumstance in
4which the insurer does not have current contact information for
5the producer of record for a specific affected consumer.
6 Sec. 12. NEW SECTION. 507F.12 Confidentiality.
71. Documents, materials, and other information in the
8control or possession of the commissioner that are furnished
9by a licensee, or by an employee or agent of the licensee
10acting on behalf of the licensee, or that are obtained by
11the commissioner in an investigation or examination, shall
12be confidential by law and privileged, shall not constitute
13a public record under chapter 22, shall not be subject to
14subpoena or discovery, and shall not be admissible as evidence
15in a private civil action. The commissioner, however, shall
16be authorized to use the documents, materials, and other
17information in the furtherance of a regulatory or legal action
18brought as part of the commissioner’s official duties. The
19commissioner shall not otherwise make the documents, materials,
20and other information public without the prior written consent
21of the licensee.
222. The commissioner, or an individual who receives
23documents, materials, or other information under the authority
24of the commissioner, shall not be permitted or required to
25testify in a private civil action concerning any documents,
26materials, or other information subject to subsection 1.
273. In order to assist in the performance of the
28commissioner’s duties under this chapter, the commissioner may:
29a. Share documents, materials, and other information,
30including documents, materials, and other information subject
31to subsection 1, with state, federal, and international
32regulatory agencies; the national association of insurance
33commissioners, its affiliates and subsidiaries; and with
34state, federal, and international law enforcement authorities,
35provided that the recipient certifies in writing that the
-18-1recipient will maintain the confidentiality or privileged
2status of any documents, materials, or other information to
3which confidentiality or privileged status applies.
4b. Receive documents, materials, and other information,
5including confidential and privileged documents, materials,
6and other information from the national association of
7insurance commissioners, its affiliates and subsidiaries;
8and regulatory and law enforcement officials of foreign and
9domestic jurisdictions. The commissioner shall maintain as
10confidential or privileged any document, material, or other
11information received by the commissioner that is confidential
12or privileged, or that is received with notice or the
13understanding that it is confidential or privileged, under the
14laws of the jurisdiction that is the source of the document,
15material, or other information.
16c. Share documents, materials, or other information subject
17to subsection 1 with a third-party consultant or vendor
18provided that the third-party consultant or vendor certifies
19in writing that the consultant or vendor will maintain the
20confidentiality and privileged status of the document,
21material, or other information.
22d. Enter into an agreement governing the sharing and use of
23documents, materials, or other information that is consistent
24with this subsection.
254. No waiver of an applicable privilege or claim of
26confidentiality in a document, material, or other information
27shall occur as a result of disclosure of the document,
28material, or other information to the commissioner under
29this chapter, or as a result of the sharing of the document,
30material, or other information as authorized under this
31section.
325. This chapter shall not prohibit the commissioner from
33releasing final, adjudicated actions that are open to public
34inspection pursuant to chapter 22, to a database or other
35clearinghouse service maintained by the national association of
-19-1insurance commissioners, or its affiliates and subsidiaries.
26. Documents, materials, and other information received
3by the commissioner under this chapter and shared pursuant to
4subsection 3, shall be confidential by law and privileged,
5shall not constitute a public record under chapter 22, shall
6not be subject to subpoena or discovery, and shall not be
7admissible as evidence in a private civil action.
87. Ownership of documents, materials, and other information
9shared under this chapter with the national association of
10insurance commissioners, its affiliates and subsidiaries,
11or a third-party consultant or vendor, remains with the
12commissioner, and use of the documents, materials, and
13other information by the national association of insurance
14commissioners, its affiliates and subsidiaries, or a
15third-party consultant or vendor is subject to the direction of
16the commissioner.
17 Sec. 13. NEW SECTION. 507F.13 Applicability.
181. This chapter shall not apply to a licensee that is
19subject to, and in compliance with, the Health Insurance
20Portability and Accountability Act. The licensee shall
21annually submit to the commissioner a written certification of
22the licensee’s compliance with HIPAA.
232. A licensee shall have one hundred eighty days from the
24date the licensee no longer qualifies for exemption under
25subsection 1 to comply with this chapter.
26 Sec. 14. NEW SECTION. 507F.14 Penalties.
27A licensee that violates this chapter shall be subject to
28penalties pursuant to section 505.7A and chapter 507B.
29 Sec. 15. NEW SECTION. 507F.15 Rules and enforcement.
301. The commissioner may adopt rules pursuant to chapter 17A
31as necessary to administer this chapter.
322. The commissioner may take any enforcement action under
33the commissioner’s authority to enforce compliance with this
34chapter.
35 Sec. 16. NEW SECTION. 507F.16 Severability.
-20- 1If any provision of this chapter or its application to any
2person or circumstance is held invalid, the invalidity shall
3not affect other provisions or applications of this chapter
4which can be given effect without the invalid provision or
5application, and to this end the provisions of this chapter are
6severable.
7 Sec. 17. NEW SECTION. 507F.17 Effective date.
8This chapter takes effect January 1, 2022.
9EXPLANATION
10The inclusion of this explanation does not constitute agreement with
11the explanation’s substance by the members of the general assembly.
12This bill relates to the exclusive state standards for data
13security, and investigations and notifications of cybersecurity
14events, for certain licensees under the jurisdiction of the
15commissioner of insurance. The bill is based on the national
16association of insurance commissioners’ (NAIC) insurance data
17security model law.
18“Licensee” is defined in the bill as a person licensed,
19authorized to operate, or registered, or required to be
20licensed, authorized to operate, or registered pursuant to the
21insurance laws of this state. “Licensee” does not include
22a purchasing group or a risk retention group chartered and
23licensed in a state other than this state, or a person acting
24as an assuming insurer that is domiciled in another state or
25jurisdiction. The bill does not create or imply a private
26cause of action for a violation of its provisions, and does not
27curtail a private cause of action that would otherwise exist in
28the absence of the bill.
29The bill requires licensees to develop, implement, and
30maintain a comprehensive written information security program
31(program) based on the licensee’s risk assessment (assessment)
32conducted pursuant to the bill. Licensees must comply with
33the program requirements no later than January 1, 2023. The
34program must safeguard the licensee’s nonpublic information
35and information system. “Information system” is defined in
-21-1the bill as a discrete set of electronic information resources
2organized for the collection, processing, maintenance,
3use, sharing, dissemination, or disposition of electronic
4information, and any specialized system such as an industrial
5or process controls system, a telephone switching and private
6branch exchange system, or an environmental control system.
7“Nonpublic information” is also defined in the bill. Certain
8licensees and other persons are exempt from the program
9requirement as detailed in the bill. The bill requires a
10licensee’s program to protect the security and confidentiality
11of nonpublic information and the security of the information
12system, to protect against threats or hazards to the security
13or integrity of nonpublic information and the information
14system, to protect against unauthorized access to or the use of
15nonpublic information, to minimize the likelihood of harm to
16consumers, and to define and periodically reevaluate a schedule
17for the retention and destruction of nonpublic information.
18A licensee’s assessment must designate one or more
19employees, an affiliate, or an outside vendor to act on
20behalf of the licensee and to have responsibility for the
21program; identify reasonably foreseeable internal or external
22threats that may result in unauthorized access, transmission,
23disclosure, misuse, alteration, or destruction of nonpublic
24information, including nonpublic information that is accessible
25to, or held by, a third-party service provider; assess the
26probability of and the potential damage caused by identified
27threats; and assess the sufficiency of policies, procedures,
28information systems, and other safeguards in place to manage
29identified threats. The assessment must include consideration
30of threats identified in each relevant area of the licensee’s
31operations.
32Based on a licensee’s assessment, the bill requires
33the licensee to design the program to mitigate identified
34risks, to determine and implement appropriate security
35measures, to include cybersecurity risks in the licensee’s
-22-1enterprise-wide risk management process, to maintain knowledge
2and understanding of emerging threats or vulnerabilities, to
3utilize reasonable security measures when sharing information,
4and to provide the licensee’s personnel with cybersecurity
5awareness training.
6If a licensee has a board of directors, the bill directs
7the board to require the licensee’s executive management
8or its delegates to develop, implement, and maintain the
9licensee’s program, and to provide an annual report to the
10board that documents the information specified in the bill.
11If a licensee’s executive management delegates any of its
12responsibilities, it must oversee the delegate’s development,
13implementation, and maintenance of the licensee’s program.
14As part of a licensee’s program, the bill requires the
15licensee to establish a written incident response plan (plan)
16designed to respond to, and recover from, a cybersecurity
17event that compromises the confidentiality, integrity, or
18availability of nonpublic information in the licensee’s
19possession or information systems; or that compromises
20the continuing functionality of the licensee’s operations.
21The plan must address all criteria specified in the bill.
22“Cybersecurity event” is defined in the bill as an event
23resulting in unauthorized access to, or the disruption or
24misuse of, an information system or of nonpublic information
25stored on an information system. “Cybersecurity event” does
26not include the unauthorized acquisition of encrypted nonpublic
27information if the encryption, process, or key is not also
28acquired, released, or used without authorization; or an
29event for which a licensee has determined that the nonpublic
30information accessed by an unauthorized person has not been
31used or released, and the nonpublic information has been
32returned or destroyed. Insurers domiciled in this state must
33submit an annual certification to the commissioner that the
34insurer is in compliance with the plan requirements.
35The bill requires a licensee to exercise due diligence in
-23-1the selection of a third-party service provider (provider),
2to conduct oversight of all provider arrangements, and to
3require all providers to implement appropriate administrative,
4technical, and physical measures to protect and secure
5the information systems and nonpublic information that are
6accessible to, or held by, the provider. Licensees must
7comply with these requirements no later than January 1, 2024.
8“Third-party service provider” is defined in the bill as a
9person that is not a licensee that contracts with a licensee
10to maintain, process, store, or is otherwise permitted access
11to nonpublic information through the person’s provision of
12services to the licensee.
13If a licensee discovers that a cybersecurity event has
14occurred, or that a cybersecurity event may have occurred,
15the licensee, or the outside vendor or provider the licensee
16has designated to act on behalf of the licensee, must conduct
17a prompt investigation of the event as detailed in the bill.
18If a licensee learns that a cybersecurity event has occurred,
19or may have occurred, in an information system maintained by
20a provider of the licensee, the licensee must complete the
21same type of investigation, or confirm and document that the
22provider has completed such an investigation. A licensee
23must maintain all records and documentation related to the
24licensee’s investigation for a minimum of five years from the
25date of the cybersecurity event.
26A licensee is required to notify the commissioner no later
27than three business days from the date of the licensee’s
28confirmation of a cybersecurity event if the licensee is an
29insurer who is domiciled in this state, or is a producer whose
30home state is this state, and state or federal law requires
31notice to a government body, self-regulatory agency, or other
32supervisory body. A licensee must also notify the commissioner
33if the cybersecurity event has a reasonable likelihood of
34causing material harm to a consumer, or to a material part of
35the normal business, operations, or security of the licensee;
-24-1or the licensee reasonably believes that nonpublic information
2compromised by the cybersecurity event involves 250 or more
3consumers and state or federal law requires notice to a
4government body, self-regulatory agency, or other supervisory
5body. The licensee must provide the commissioner with
6the information specified in the bill and has a continuing
7obligation to update and supplement the information as material
8changes to the information occur.
9In the event of a cybersecurity event involving nonpublic
10information, the licensee must notify consumers as detailed
11in the bill. A licensee that has to provide notification to
12more than 500 consumers must also give written notice to the
13director of the consumer protection division of the office of
14the attorney general within five business days of the date
15the first notice of the cybersecurity event is provided to an
16affected consumer. The bill also details the requirements
17for cybersecurity event notifications related to providers,
18reinsurers, and producers of record.
19The bill details confidentiality and privilege as applied
20to documents, materials, or other information furnished by a
21licensee, or that are obtained by the commissioner pursuant to
22an investigation or examination, and that are in the control
23or possession of the commissioner. The bill details which
24documents, materials, or other information do not constitute
25a public record under Code chapter 22; are not subject to
26subpoena and discovery; and are not admissible in a private
27civil action. The bill also describes how the documents,
28materials, and other information may be shared or used by the
29commissioner.
30The bill does not apply to a licensee that is subject to,
31and in compliance with, the Health Insurance Portability and
32Accountability Act of 1996 (HIPAA). The licensee must submit
33an annual written certification to the commissioner of the
34licensee’s compliance with HIPAA.
35A licensee that violates the bill shall be subject to
-25-1penalties pursuant to Code section 505.7A and Code chapter
2507B.
3The commissioner may adopt rules to administer the bill
4and may take any enforcement action under the commissioner’s
5authority to enforce compliance with the bill.
6If any provision of the bill, or its application to any
7person or circumstance is held invalid, the invalidity does not
8affect other provisions or applications of the bill which can
9be given effect without the invalid provision or application.
10The bill takes effect January 1, 2022.
-26-ko/rn