Carney signs Insurance Data Security Act into law

DOVER — Gov. John Carney signed House Bill 174, titled the Delaware Insurance Data Security Act, into law on Wednesday.

The law is based on an NAIC Model Act, which establishes a comprehensive regulatory framework requiring insurers licensed to do business in Delaware to implement information security programs, report instances of data breaches in a prescribed timely manner to the Insurance Commissioner and consumers, and empowers the Department of Insurance to investigate violations of the Act and levy penalties accordingly.

HB 174’s prime sponsors were Rep. William Bush, chair of the House Economic Development, Banking, Insurance & Commerce Committee, and Sen. Trey Paradee, also of Dover, and chair of the Senate Business, Banking & Insurance Committee.

Additional sponsors include a bipartisan roster of Rep. Krista Griffith, chair of the House Telecommunication, Internet & Technology Committee, Senate Majority Leader Nicole Poore, Sens. Brian Pettyjohn and David Sokola, and Reps. Paul Baumbach, Sherry Dorsey Walker, Timothy Dukes, Sean Matthews, Ray Seigfried and Michael Smith.

Delaware Insurance Commissioner Trinidad Navarro explained how the Act will enhance consumer protection in Delaware.

“When hardworking consumers entrust their personal data to their insurance companies, they have a reasonable expectation that their carriers will do everything they can to safeguard that information,” Commissioner Navarro said. “Over the past several years, we have witnessed time and again consumers’ information be compromised or stolen by hackers’ cyber threats to insurers.

“By codifying a regulatory standard that requires all insurance licensees in Delaware to implement information security programs and timely report data breaches to the (Department of Insurance) and consumers, HB 174 enhances Delaware’s consumer protection measures to hold companies accountable and give consumers the peace of mind that they deserve. I thank Governor Carney and the General Assembly for recognizing the importance of this legislation and enacting it into law.”

Prior to the implementation of this law, there were no standards for insurance companies to follow regarding protection of consumers’ data and notifying the department. Historically, when an insurer determined that a data breach had occurred, notification to the Department of Insurance was delayed, sometimes by several months. Notably, this Act accomplishes the following:

  1. Requires insurance companies to implement information security programs and conduct risk assessments to try to prevent data breaches and compromising of consumers’ Nonpublic Information and personal data;
  2. Requires insurers to conduct thorough investigations to determine if a cybersecurity event or data breach may have occurred and whose data may have been compromised;
  3. Notify the Insurance Commissioner within three business days of determining that a data breach or cybersecurity event has occurred;
  4. Mandates that insurers notify all impacted consumers within 60 days of the determination that their data has or may have been compromised;
  5. Requires that insurers offer free credit monitoring services for one year to consumers impacted by breaches; and
  6. Endows the Commissioner with the power to investigate the affairs of any insurer to determine whether they have been engaged in any conduct in violation of this Act and take action accordingly.

“In our fast-paced, technology-driven society, we have to take the necessary steps to put strong consumer protections and data security in place. Data breaches are personal, comprising critical information and forcing an individual to rebuild their entire lives,” said Rep. Bush, chief sponsor of HB 174. “Instituting a framework with safeguards to protect Delawareans from insurance data breaches is the right thing to do. This comprehensive legislation enhances consumers’ data privacy and protection, with the ultimate goal of giving them peace of mind and security.”

Work on enhancing insurance data security began after the Anthem data breach in 2015, in which hackers compromised nearly 80 million individuals’ personal information. Since then, there have been 15 insurance data breaches with Delawareans impacted, the most recent one involving Dominion National, a dental insurance carrier. The number of Delawareans impacted during the breaches during that period of time ranged from one policyholder to over 95,000 policyholders.

HB 174 passed the House on June 13 with 40 ‘yes’ votes. The bill cleared its final hurdle on June 26 with the Delaware Senate voting unanimously in favor. Consumers and producers who have questions about the new law are encouraged to contact the Department’s Consumer Services Division at (302) 674-7310 or by email at consumer@delaware.gov.

“Insurance companies hold some of the most sensitive information about our residents, but until now had no state-mandated rules to follow for protecting that data or reporting hacks to consumers,” said Sen. Paradee, the bill’s prime Senate sponsor. “While we can’t stop every data breach, we can — and must — do more to ensure that insurance companies are taking steps to protect Delawareans’ private data and notify customers when their information is compromised. Delaware Insurance Commissioner Trinidad Navarro deserves a lot of credit for bringing this matter to our attention and working with us to get this legislation passed.”

Reach the Delaware State News newsroom at newsroom@newszap.com

You are encouraged to leave relevant comments but engaging in personal attacks, threats, online bullying or commercial spam will not be allowed. All comments should remain within the bounds of fair play and civility. (You can disagree with others courteously, without being disagreeable.) Feel free to express yourself but keep an open mind toward finding value in what others say. To report abuse or spam, click the X in the upper right corner of the comment box.

Facebook Comment