The Delaware Insurance Data Security Act: What Insurers Need to Know About Data Privacy and Cyber Security
On July 31, 2019, Delaware Governor John C. Carney, Jr. signed House Bill 174 (HB 174) into law. The law, titled the Delaware Insurance Data Security Act (the Act), is based on a National Association of Insurance Commissioners (NAIC) Model Act, which was rolled out in October of 2017. Delaware’s Act establishes a comprehensive regulatory framework that requires insurers who are licensed to do business in Delaware to implement information security programs and to report instances of data breaches in a prescribed and timely manner to the Commissioner, as well as to consumers.
Of particular note, the Act:
- requires insurance companies to implement information security programs and conduct risk assessments to try to prevent data breaches and the compromise of consumers’ Nonpublic Information and personal data;
- requires insurers to conduct thorough investigations to determine if a cybersecurity event or data breach may have occurred and whose data may have been compromised;
- notify the Insurance Commissioner within three business days of the determination that a data breach or cybersecurity event has occurred;
- mandates that insurers notify all impacted consumers within 60 days of the determination that their data has or may have been compromised;
- requires that insurers offer free credit monitoring services for one year to consumers impacted by breaches; and
- endows the Commissioner with the power to investigate the affairs of any insurer to determine whether they have been engaged in any conduct in violation of the Act and to take appropriate action.
The Act follows Delaware’s general data breach law, 6 Del. C. §§ 12B-100 et seq., enacted last year, which applies to “any person who conducts business in this State and owns, licenses, or maintains personal information.” Although that law arguably applies to carriers, this Act is specifically directed to insurance companies. It appears that the legislature (and the Insurance Commissioner) had concerns over recent insurance company data breaches, such as the Anthem data breach in 2015, in which hackers compromised nearly 80 million individuals’ personal information. There have been 15 insurance data breaches in which Delawareans were impacted since then, with the most recent one involving dental insurance carrier. It is estimated that over 95,000 Delaware policyholders were impacted during that period of time.
Since the rollout of the NAIC Model Act in 2017, several other states have adopted similar laws, including New York, Ohio, Michigan, and South Carolina. It is likely this trend will continue, as the frequency of cyberattacks and data breaches show no sign of slowing down anytime soon. As such, we anticipate other states will adopt the NAIC Model Law as well. Insurers should take note and proactively review and confirm that their information security and data privacy programs are compliant.