HB 5248

Abstract

Creates the Insurance Data Security Act. Requires any person licensed, authorized to operate, or registered as an insurer in accordance with the insurance laws of this State to conduct a risk assessment of cybersecurity threats, implement appropriate security measures, and no less than annually assess the effectiveness of the safeguards' key controls, systems, and procedures. Requires a licensee to develop, implement, and maintain a written information security program based on the licensee's risk assessment. Requires each licensee to establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee's information systems, or the continuing functionality of any aspect of the licensee's business or operations. Requires licensees domiciled in this State to annually submit a written certification of compliance to the Director of Insurance. Provides that a licensee shall notify the Director as promptly as possible, but not later than 72 hours from a determination that a cybersecurity event has occurred in specified circumstances. Provides standards and procedures for risk management, data security, and notification and investigation of cybersecurity events resulting in unauthorized access to, disruption of, or misuse of nonpublic data. Provides that the Director has the power to examine and investigate to determine whether a licensee has been or is engaged in any conduct in violation of the Act. Grants the Department of Insurance rulemaking authority to implement the Act. Provides that any documents, materials, or other information obtained pursuant to the Act is confidential by law and privileged, is not subject to the Freedom of Information Act, is not subject to subpoena, and is not subject to discovery or admissible in evidence in any private civil action. Makes a conforming change in the Freedom of Information Act. Defines terms. Effective January 1, 2023.