HB436--INSURANCECOMPANIES'DATASECURITY
SPONSOR: Hardwick
Thisbillestablishesthe"InsuranceDataSecurityAct".
Thebillrequireslicenseestoimplementaninformationsecurity
program,asdefinedinthebill.Eachlicenseemusthavea
comprehensiveinformationsecurityprogramthatisinkeepingwith
thesizeandcomplexityofthelicenseeandthescopeofits
activities. Thisbillspecifiesdataprotectionobjectivesforthe
programs,aswellasstandardsforriskassessmentbylicensees,
andmeasurestobeimplementedintheinformationsecurity
programs.
Thebillspecifiestherequirementsforlicensees'boardsof
directorsorexecutivemanagementregardingtheinformation
securityprograms,andrequirescertainoversightof"third-party
serviceproviders",asdefinedinthebill.Licenseesmustmonitor
theirinformationsecurityprograms,andadjustthemasappropriate
consistentwithrelevantchangesintechnologyandthelicensees'
activities. Thisbillrequiresincidentresponseplansaspartof
informationsecurityprograms,asspecifiedinthebill.Insurers
domiciledinthisstatemustannuallysubmit,byApril15,a
writtenstatementthattheinsurerisincompliancewiththe
informationsecurityprogramrequirementsofthebill,andmust
maintaincertaindocumentationforinspectionbytheDirectorof
theDepartmentofCommerceandInsuranceforaperiodoffive
years.
Thebillalsospecifiesproceduresandstandardsforinvestigation
ofcybersecurityevents,aswellasrequirementstonotify
regulators,consumers,otherinsurers,andinsuranceproducersas
specifiedinthebillifcertaincybersecurityeventsoccur.The
Directorwillhaveauthoritytoenforcethebillinthemanner
providedbylawforenforcementoftheinsurancelawsofthis
state.
Asspecifiedinthebill,documentsandotherinformationfurnished
totheDepartmentofCommerceandInsurancewillbeconfidential
andprivilegedfromdisclosuretootherpartiesandpersons
receivingdocumentsorinformationundertheDirector'sauthority
inthebillwillnottestifyinanyprivatecivilaction.Inorder
toassistintheperformanceoftheDirector'sdutiesinthebill,
theDirectormayreceivedocumentsandinformationwhichwould
otherwisebeconfidentialandprivileged,andmayenterinto
agreementswithotherauthorizedparties.
Thisbillspecifiescertainexceptions. ThebillcontainsadelayedeffectivedateofJanuary1,2026,and
grantslicenseesadditionaltimefortheimplementation ofcertain
provisions.
ThisbillissimilartoHB2316(2024).