FIRSTREGULARSESSION
HOUSECOMMITTEESUBSTITUTEFOR
HOUSEBILLNO.436
103RDGENERALASSEMBLY
1574H.02C JOSEPHENGLER,ChiefClerk
ANACT
Toamendchapter375,RSMo,byaddingtheretotwelvenewsectionsrelatingtoinsurance
companies'datasecurity,withpenaltyprovisions.
BeitenactedbytheGeneralAssemblyofthestateofMissouri,asfollows:
SectionA.Chapter375,RSMo,isamendedbyaddingtheretotwelvenewsections,to
2beknownassections375.1400,375.1402,375.1405,375.1407,375.1410,375.1412,
3375.1415,375.1417,375.1420,375.1422,375.1425,and375.1427,toreadasfollows:
375.1400.1.Sections375.1400to375.1427shallbeknownandmaybecitedas
2the"InsuranceDataSecurityAct".
3 2.Notwithstandinganyotherprovisionoflaw,sections375.1400to375.1427
4establishtheexclusivestatestandardsapplicabletolicenseesfordatasecurity,the
5investigationofacybersecurityeventasdefinedinsection375.1402,andnotificationto
6thedirector.
7 3.Sections375.1400to375.1427shallnotbeconstruedtocreateorimplya
8privatecauseofactionforviolationoftheirprovisions,norshallsuchsectionsbe
9construedtocurtailaprivatecauseofactionthatwouldotherwiseexistintheabsenceof
10sections375.1400to375.1427.
375.1402.1.Asusedinsections375.1400to375.1427,thefollowingtermsmean:
2 (1)"Authorizedperson",anindividualknowntoandauthorizedbythelicensee
3anddeterminedtobenecessaryandappropriatetohaveaccesstothenonpublic
4informationheldbythelicenseeanditsinformationsystems;
5 (2)"Consumer",anindividual,including,butnotlimitedto,applicants,
6policyholders,insureds,beneficiaries,claimants,andcertificateholders,whoisa
EXPLANATION—Matterenclosedinbold-facedbrackets[thus] intheabovebillisnotenactedandis
intendedtobeomittedfromthelaw.Matterinbold-facetypeintheabovebillisproposedlanguage. 7residentofthisstateandwhosenonpublicinformationisinalicensee'spossession,
8custody,orcontrol;
9 (3)"Cybersecurityevent",aneventresultinginunauthorizedaccessto,
10maliciousdisruptionof,ormisuseofaninformationsystemornonpublicinformationin
11thepossession,custody,orcontrolofalicenseeoranauthorizedperson;however:
12 (a)Theterm"cybersecurityevent"doesnotincludetheunauthorized
13acquisitionofencrypted,nonpublicinformationiftheencryption,process,orkeyis
14notalsoacquired,released,orusedwithoutauthorization;and
15 (b)Theterm"cybersecurityevent"doesnotincludeaneventwithregardto
16whichthelicenseehasdeterminedthatthenonpublicinformationaccessedbyan
17unauthorizedpersonhasnotbeenusedorreleasedandhasbeenreturnedordestroyed;
18 (4)"Department",thedepartmentofcommerceandinsurance;
19 (5)"Director",thedirectorofthedepartmentofcommerceandinsurance;
20 (6)"Encrypted",thetransformationofdataintoaformthatresultsinalow
21probabilityofassigningmeaningwithouttheuseofaprotectiveprocessorkey;
22 (7)"HIPAA",thefederalHealthInsurancePortabilityandAccountabilityAct
23(42U.S.C.Section1320detseq.);
24 (8)"Informationsecurityprogram",theadministrative,technical,andphysical
25safeguardsthatalicenseeusestoaccess,collect,distribute,process,protect,store,use,
26transmit,disposeof,orotherwisehandlenonpublicinformation;
27 (9)"Informationsystem",adiscretesetofelectronicinformationresources
28organizedforthecollection,processing,maintenance,use,sharing,dissemination,or
29dispositionofelectronicnonpublicinformation,aswellasanyspecializedsystemsuchas
30industrialandprocesscontrolssystems,telephoneswitchingandprivatebranch
31exchangesystems,andenvironmentalcontrolsystems;
32 (10)"Licensee",anypersonlicensed,authorizedtooperate,orregistered,or
33requiredtobelicensed,authorized,orregisteredundertheinsurancelawsofthisstate,
34butshallnotincludeapurchasinggrouporariskretentiongroupcharteredand
35licensedinastateotherthanthisstateoralicenseethatisactingasanassuminginsurer
36thatisdomiciledinanotherstateorjurisdiction;
37 (11)"Multi-factorauthentication",authenticationthroughverificationofat
38leasttwoofthefollowingtypesofauthenticationfactors:
39 (a)Knowledgefactors,suchasapassword;
40 (b)Possessionfactors,suchasatokenortextmessageonamobilephone;or
41 (c)Inherencefactors,suchasabiometriccharacteristic;
42 (12)"Nonpublicinformation",informationthatisnotpubliclyavailable
43informationandis:
HCSHB436 2 44 (a)Business-relatedinformationofalicensee,thetamperingwithwhich,or
45unauthorizeddisclosure,access,oruseofwhich,wouldcauseamaterialadverseimpact
46tothebusiness,operations,orsecurityofthelicensee;
47 (b)Anyinformationconcerningaconsumerthat,becauseofname,number,
48personalmark,orotheridentifier,canbeusedtoidentifysuchconsumer,in
49combinationwithanyoneormoreofthefollowingdataelements:
50 a.SocialSecuritynumber;
51 b.Driver'slicensenumberornondriveridentificationcardnumber;
52 c.Financialaccountnumberorcreditordebitcardnumber;
53 d.Anysecuritycode,accesscode,orpasswordthatwouldpermitaccesstoa
54consumer'sfinancialaccount;
55 e.Biometricrecords;or
56 f.Militaryidentificationnumber;
57 (c)Anyinformationordata,exceptageorgender,inanyformormedium
58createdbyorderivedfromahealthcareprovideroraconsumerandthatrelatesto:
59 a.Thepast,present,orfuturephysical,mental,orbehavioralhealthor
60conditionofanyconsumeroramemberoftheconsumer'sfamily;
61 b.Theprovisionofhealthcaretoanyconsumer;or
62 c.Paymentfortheprovisionofhealthcaretoanyconsumer;
63 (13)"Person",anyindividualoranynongovernmentalentityincluding,butnot
64limitedto,anynongovernmentalpartnership,corporation,branch,agency,or
65association;
66 (14)"Publiclyavailableinformation",anyinformationthatalicenseehasa
67reasonablebasistobelieveislawfullymadeavailabletothegeneralpublicfromfederal,
68state,orlocalgovernmentrecords;widelydistributedmedia;ordisclosurestothe
69generalpublicthatarerequiredtobemadebyfederal,state,orlocallaw.Forthe
70purposesofthisdefinition,alicenseehasareasonablebasistobelievethatinformation
71islawfullymadeavailabletothegeneralpublicifthelicenseehastakenstepsto
72determine:
73 (a)Thattheinformationisofthetypethatisavailabletothegeneralpublic;and
74 (b)Whetheraconsumercandirectthattheinformationnotbemadeavailableto
75thegeneralpublicand,ifso,thatsuchconsumerhasnotdoneso;
76 (15)"Riskassessment",theriskassessmentthateachlicenseeisrequiredto
77conductundersubsection3ofsection375.1405;
78 (16)"State",thestateofMissouri;
79 (17)"Third-partyserviceprovider",aperson,nototherwisedefinedasa
80licensee,thatcontractswithalicenseetomaintain,process,store,orotherwiseis
HCSHB436 3 81permittedaccesstononpublicinformationthroughitsprovisionofservicestothe
82licensee.
375.1405.1.Commensuratewiththesizeandcomplexityofthelicensee;the
2natureandscopeofthelicensee'sactivities,includingitsuseofthird-partyservice
3providers;andthesensitivityofthenonpublicinformationusedbythelicenseeorinthe
4licensee'spossession,custody,orcontrol,eachlicenseeshalldevelop,implement,and
5maintainacomprehensivewritteninformationsecurityprogramthatisbasedonthe
6licensee'sriskassessmentandthatcontainsadministrative,technical,andphysical
7safeguardsfortheprotectionofnonpublicinformationandthelicensee'sinformation
8system.
9 2.Alicensee'sinformationsecurityprogramshallbedesignedto:
10 (1)Protectthesecurityandconfidentialityofnonpublicinformationandthe
11securityoftheinformationsystem;
12 (2)Protectagainstanythreatsorhazardstothesecurityorintegrityof
13nonpublicinformationandtheinformationsystem;
14 (3)Protectagainstunauthorizedaccesstooruseofnonpublicinformationand
15minimizethelikelihoodofharmtoanyconsumer;and
16 (4)Defineandperiodicallyreevaluateascheduleforretentionofnonpublic
17informationandamechanismforitsdestructionwhennolongerneeded.
18 3.Thelicenseeshall:
19 (1)Designateoneormoreemployees,anaffiliate,oranoutsidevendor
20designatedtoactonbehalfofthelicenseewhoisresponsiblefortheinformationsecurity
21program;
22 (2)Identifyreasonablyforeseeableinternalorexternalthreatsthatcouldresult
23inunauthorizedaccess,transmission,disclosure,misuse,alteration,ordestructionof
24nonpublicinformation,includingthesecurityofinformationsystemsandnonpublic
25informationthatareaccessibleto,orheldby,third-partyserviceproviders;
26 (3)Assessthelikelihoodandpotentialdamageofthesethreats,takinginto
27considerationthesensitivityofthenonpublicinformation;
28 (4)Assessthesufficiencyofpolicies,procedures,informationsystems,andother
29safeguardsinplacetomanagethesethreats,includingconsiderationofthreatsineach
30relevantareaofthelicensee'soperations,including:
31 (a)Employeetrainingandmanagement;
32 (b)Informationsystems,includingnetworkandsoftwaredesign,aswellas
33informationclassification,governance,processing,storage,transmission,anddisposal;
34and
HCSHB436 4 35 (c)Detecting,preventing,andrespondingtoattacks,intrusions,orothersystems
36failures;and
37 (5)Implementinformationsafeguardstomanagethethreatsidentifiedinits
38ongoingassessment,andnolessthanannually,assesstheeffectivenessofthesafeguards'
39keycontrols,systems,andprocedures.
40 4.Basedonitsriskassessment,thelicenseeshall:
41 (1)Designitsinformationsecurityprogramtomitigatetheidentifiedrisks,
42commensuratewiththesizeandcomplexityofthelicensee'sactivities,includingitsuse
43ofthird-partyserviceproviders,andthesensitivityofthenonpublicinformationused
44bythelicenseeorinthelicensee'spossession,custody,orcontrol;
45 (2)Determinewhichofthefollowingsecuritymeasuresareappropriateand
46implementsuchsecuritymeasures:
47 (a)Placeaccesscontrolsoninformationsystems,includingcontrolsto
48authenticateandpermitaccessonlytoauthorizedpersonstoprotectagainstthe
49unauthorizedacquisitionofnonpublicinformation;
50 (b)Identifyandmanagethedata,personnel,devices,systems,andfacilitiesthat
51enabletheorganizationtoachievebusinesspurposesinaccordancewiththeirrelative
52importancetobusinessobjectivesandtheorganization'sriskstrategy;
53 (c)Restrictaccessatphysicallocationscontainingnonpublicinformationonlyto
54authorizedpersons;
55 (d)Protectbyencryptionorotherappropriatemeansallnonpublicinformation
56whilebeingtransmittedoveranexternalnetworkandallnonpublicinformationstored
57onalaptopcomputerorotherportablecomputingorstoragedeviceormedia;
58 (e)Adoptsecuredevelopmentpracticesforin-housedevelopedapplications
59utilizedbythelicenseeandproceduresforevaluating,assessing,ortestingthesecurity
60ofexternallydevelopedapplicationsutilizedbythelicensee;
61 (f)Modifytheinformationsysteminaccordancewiththelicensee'sinformation
62securityprogram;
63 (g)Utilizeeffectivecontrols,whichmayincludemulti-factorauthentication
64proceduresforanyindividualaccessingnonpublicinformation;
65 (h)Regularlytestandmonitorsystemsandprocedurestodetectactualand
66attemptedattackson,orintrusionsinto,informationsystems;
67 (i)Includeaudittrailswithintheinformationsecurityprogramdesignedto
68detectandrespondtocybersecurityeventsanddesignedtoreconstructmaterial
69financialtransactionssufficienttosupportnormaloperationsandobligationsofthe
70licensee;
HCSHB436 5 71 (j)Implementmeasurestoprotectagainstdestruction,loss,ordamageof
72nonpublicinformationduetoenvironmentalhazards,suchasfireandwaterdamageor
73othercatastrophesortechnologicalfailures;and
74 (k)Develop,implement,andmaintainproceduresforthesecuredisposalof
75nonpublicinformationinanyformat;
76 (3)Includecybersecurityrisksinthelicensee'senterpriseriskmanagement
77process;
78 (4)Stayinformedregardingemergingthreatsorvulnerabilitiesandutilize
79reasonablesecuritymeasureswhensharinginformationrelativetothecharacterofthe
80sharingandthetypeofinformationshared;and
81 (5)Provideitspersonnelwithcybersecurityawarenesstrainingthatisupdated
82asnecessarytoreflectrisksidentifiedbythelicenseeintheriskassessment.
83 5.Ifthelicenseehasaboardofdirectors,theboardoranappropriatecommittee
84oftheboardshall,ataminimum:
85 (1)Requirethelicensee'sexecutivemanagementoritsdelegatestodevelop,
86implement,andmaintainthelicensee'sinformationsecurityprogram;
87 (2)Requirethelicensee'sexecutivemanagementoritsdelegatestoreportin
88writing,atleastannually,thefollowinginformation:
89 (a)Theoverallstatusoftheinformationsecurityprogramandthelicensee's
90compliancewithsections375.1400to375.1427;and
91 (b)Materialmattersrelatedtotheinformationsecurityprogram,addressing
92issuessuchasriskassessment,riskmanagementandcontroldecisions,third-party
93serviceproviderarrangements,resultsoftesting,cybersecurityeventsorviolationsand
94management'sresponsesthereto,andrecommendationsforchangesintheinformation
95securityprogram;
96 (3)Ifexecutivemanagementdelegatesanyofitsresponsibilitiesundersection
97375.1405,itshalloverseethedevelopment,implementation,andmaintenanceofthe
98licensee'sinformationsecurityprogrampreparedbythedelegatesandshallreceivea
99reportfromthedelegatescomplyingwiththerequirementsofthereporttotheboardof
100directorsabove.
101 6.(1)Alicenseeshallexerciseduediligenceinselectingitsthird-partyservice
102provider.
103 (2)Alicenseeshallrequireathird-partyserviceprovidertoimplement
104appropriateadministrative,technical,andphysicalmeasurestoprotectandsecurethe
105informationsystemsandnonpublicinformationthatareaccessibleto,orheldby,the
106third-partyserviceprovider.
HCSHB436 6 107 7.Thelicenseeshallmonitor,evaluate,andadjust,asappropriate,the
108informationsecurityprogramconsistentwithanyrelevantchangesintechnology,the
109sensitivityofitsnonpublicinformation,internalorexternalthreatstoinformation,and
110thelicensee'sownchangingbusinessarrangements,suchasmergersandacquisitions,
111alliancesandjointventures,outsourcingarrangements,andchangestoinformation
112systems.
113 8.Aspartofitsinformationsecurityprogram,eachlicenseeshallestablisha
114writtenincidentresponseplandesignedtopromptlyrespondto,andrecoverfrom,any
115cybersecurityeventthatcompromisestheconfidentiality,integrity,oravailabilityof
116nonpublicinformationinitspossession,thelicensee'sinformationsystems,orthe
117continuingfunctionalityofanyaspectofthelicensee'sbusinessoroperations.Such
118incidentresponseplanshalladdressthefollowingareas:
119 (1)Theinternalprocessforrespondingtoacybersecurityevent;
120 (2)Thegoalsoftheincidentresponseplan;
121 (3)Thedefinitionofclearroles,responsibilities,andlevelsofdecision-making
122authority;
123 (4)Externalandinternalcommunicationsandinformationsharing;
124 (5)Identificationofrequirementsfortheremediationofanyidentified
125weaknessesininformationsystemsandassociatedcontrols;
126 (6)Documentationandreportingregardingcybersecurityeventsandrelated
127incidentresponseactivities;and
128 (7)Theevaluationandrevisionasnecessaryoftheincidentresponseplan
129followingacybersecurityevent.
130 9.AnnuallybyAprilfifteenth,eachinsurerdomiciledinthisstateshallsubmit
131tothedirectorawrittenstatementcertifyingthattheinsurerisincompliancewiththe
132requirementssetforthinthissection.Eachinsurershallmaintainforexaminationby
133thedepartmentallrecords,schedules,anddatasupportingthiscertificateforaperiod
134offiveyears.Totheextentaninsurerhasidentifiedareas,systems,orprocessesthat
135requirematerialimprovement,updating,orredesign,theinsurershalldocumentthe
136identificationandtheremedialeffortsplannedandunderwaytoaddresssuchareas,
137systems,orprocesses.Suchdocumentationshallbeavailableforinspectionbythe
138director.
375.1407.1.Ifthelicenseelearnsthatacybersecurityeventhasormayhave
2occurred,thelicensee,oranoutsidevendororserviceproviderdesignatedtoacton
3behalfofthelicensee,shallconductapromptinvestigation.
HCSHB436 7 4 2.Duringtheinvestigation,thelicensee,oranoutsidevendororserviceprovider
5designatedtoactonbehalfofthelicensee,shall,ataminimum,determineasmuchof
6thefollowinginformationaspracticable:
7 (1)Determinewhetheracybersecurityeventhasoccurred;
8 (2)Assessthenatureandscopeofthecybersecurityevent;
9 (3)Identifyanynonpublicinformationthatmayhavebeeninvolvedinthe
10cybersecurityevent;and
11 (4)Performoroverseereasonablemeasurestorestorethesecurityofthe
12informationsystemscompromisedinthecybersecurityeventinordertopreventfurther
13unauthorizedacquisition,release,oruseofnonpublicinformationinthelicensee's
14possession,custody,orcontrol.
15 3.Ifthelicenseelearnsthatacybersecurityeventhasormayhaveoccurredina
16systemmaintainedbyathird-partyserviceprovider,thelicenseeshallcompletethe
17stepslistedinsubsection2ofthissectionorconfirmanddocumentthatthethird-party
18serviceproviderhascompletedthosesteps.
19 4.Thelicenseeshallmaintainrecordsconcerningallcybersecurityeventsfora
20periodofatleastthreeyearsfromthedateofthecybersecurityeventandshallproduce
21thoserecordsupondemandofthedirector.
375.1410.1.Eachlicenseeshallnotifythedirectoraspromptlyaspracticable,
2butinnoeventlaterthanfourbusinessdays,fromadeterminationthatacybersecurity
3eventinvolvingnonpublicinformationthatisinthepossessionofalicenseehasoccurred
4wheneitherofthefollowingcriteriahasbeenmet:
5 (1)Thisstateisthelicensee'sstateofdomicile,inthecaseofaninsurer,orthis
6stateisthelicensee'shomestate,inthecaseofaproducer,asthosetermsaredefinedin
7section375.012,andthecybersecurityeventhasareasonablelikelihoodofmaterially
8harmingaconsumerresidinginthisstateorareasonablelikelihoodofmaterially
9harminganymaterialpartofthenormaloperationsofthelicensee;or
10 (2)Thelicenseereasonablybelievesthatthenonpublicinformationinvolvedisof
11twohundredfiftyormoreconsumersresidinginthisstateandiseitherofthefollowing:
12 (a)Acybersecurityeventimpactingthelicenseeofwhichnoticeisrequiredtobe
13providedtoanygovernmentbody,self-regulatoryagency,oranyothersupervisorybody
14underanystateorfederallaw;or
15 (b)Acybersecurityeventthathasareasonablelikelihoodofmaterially
16harming:
17 a.Anyconsumerresidinginthisstate;or
18 b.Anymaterialpartofthenormaloperationsofthelicensee.
HCSHB436 8 19 2.Thelicenseeshallprovideasmuchofthefollowinginformationaspracticable
20exceptthatthelicenseeshallnotreleasetothestateoranyotherentitynonpublic
21informationoftheconsumerunlessgivenwrittenauthoritybytheconsumeror
22otherwiserequiredbylaw.Thelicenseeshallprovidetheinformationinelectronicform
23asdirectedbythedirector.Thelicenseeshallhaveacontinuingobligationtoupdate
24andsupplementinitialandsubsequentnotificationstothedirectorregardingmaterial
25changestopreviouslyprovidedinformationrelatingtothecybersecurityevent:
26 (1)Thedateofthecybersecurityevent;
27 (2)Adescriptionofhowtheinformationwasexposed,lost,stolen,orbreached,
28includingthespecificrolesandresponsibilitiesofthird-partyserviceproviders,ifany;
29 (3)Howthecybersecurityeventwasdiscovered;
30 (4)Whetheranyexposed,lost,stolen,orbreachedinformationhasbeen
31recoveredandifso,howthiswasdone;
32 (5)Theidentityofthesourceofthecybersecurityevent;
33 (6)Whetherthelicenseehasfiledapolicereportorhasnotifiedanyregulatory,
34government,orlawenforcementagenciesand,ifso,whensuchnotificationwas
35provided;
36 (7)Adescriptionofthespecifictypesofinformationacquiredwithout
37authorization."Specifictypesofinformation"meansparticulardataelements
38including,forexample,typesofmedicalinformation,typesoffinancialinformation,
39ortypesofinformationallowingidentificationoftheconsumer;
40 (8)Theperiodduringwhichtheinformationsystemwascompromisedbythe
41cybersecurityevent;
42 (9)Thenumberoftotalconsumersinthisstateaffectedbythecybersecurity
43event.Thelicenseeshallprovidethebestestimateintheinitialreporttothedirector
44andupdatethisestimatewitheachsubsequentreporttothedirectorunderthissection;
45 (10)Theresultsofanyinternalreviewidentifyingalapseineitherautomated
46controlsorinternalprocedures,orconfirmingthatallautomatedcontrolsorinternal
47procedureswerefollowed;
48 (11)Adescriptionoftheeffortsbeingundertakentoremediatethesituationthat
49permittedthecybersecurityeventtooccur;
50 (12)Acopyofthelicensee'sprivacypolicyandastatementoutliningthesteps
51thelicenseewilltaketoinvestigateandnotifyconsumersaffectedbythecybersecurity
52event;and
53 (13)Thenameofacontactpersonwhoisbothfamiliarwiththecybersecurity
54eventandauthorizedtoactforthelicensee.
HCSHB436 9 55 3.Thelicenseeshallcomplywithsection407.1500,asapplicable,andprovidea
56copyofthenoticesenttoconsumersunderthatsectiontothedirectorwhenalicenseeis
57requiredtonotifythedirectorundersubsection1ofsection375.1410.
58 4.(1)Inthecaseofacybersecurityeventinasystemmaintainedbyathird-
59partyserviceproviderofwhichthelicenseehasbecomeaware,thelicenseeshalltreat
60sucheventasitwouldundersubsection1ofsection375.1410.
61 (2)Thecomputationofalicensee'sdeadlinesshallbeginonthedayafterthe
62third-partyserviceprovidernotifiesthelicenseeofthecybersecurityeventorthe
63licenseeotherwisehasactualknowledgeofthecybersecurityevent,whicheverissooner.
64 (3)Nothinginsections375.1400to375.1427shallpreventorabrogatean
65agreementbetweenalicenseeandanotherlicensee,athird-partyserviceprovider,or
66anyotherpartytofulfillanyoftheinvestigationrequirementsimposedundersection
67375.1407ornoticerequirementsimposedunderthissection.
68 5.(1)(a)Intheeventofacybersecurityeventinvolvingnonpublicinformation
69thatisusedbythelicenseethatisactingasanassuminginsurerorinthepossession,
70custody,orcontrolofalicenseethatisactingasanassuminginsurerandthatdoesnot
71haveadirectcontractualrelationshipwiththeaffectedconsumers,theassuminginsurer
72shallnotifyitsaffectedcedinginsurersandthecommissionerordirectorofinsurance
73foritsstateofdomicilewithinthreebusinessdaysofmakingthedeterminationthata
74cybersecurityeventhasoccurred.
75 (b)Thecedinginsurersthathaveadirectcontractualrelationshipwithaffected
76consumersshallfulfilltheconsumernotificationrequirementsimposedundersection
77407.1500andanyothernotificationrequirementsrelatingtoacybersecurityevent
78imposedunderthissection.
79 (c)Anylicenseeactingasassuminginsurershallhavenoothernoticeobligations
80relatingtoacybersecurityeventorotherdatabreachunderthissectionoranyother
81lawofthestate.
82 (2)(a)Intheeventofacybersecurityeventinvolvingnonpublicinformation
83thatisinthepossession,custody,orcontrolofathird-partyserviceproviderofa
84licenseethatisanassuminginsurer,theassuminginsurershallnotifyitsaffectedceding
85insurersandthecommissionerordirectorofinsuranceforitsstateofdomicilewithin
86threebusinessdaysofreceivingnoticefromitsthird-partyserviceproviderthata
87cybersecurityeventhasoccurred.
88 (b)Thecedinginsurersthathaveadirectcontractualrelationshipwithaffected
89consumersshallfulfilltheconsumernotificationrequirementsimposedundersection
90407.1500andanyothernotificationrequirementsrelatingtoacybersecurityevent
91imposedunderthissection.
HCSHB436 10 92 6.Inthecaseofacybersecurityeventinvolvingnonpublicinformationthatisin
93thepossession,custody,orcontrolofalicenseethatisaninsureroritsthird-party
94serviceproviderforwhichaconsumeraccessedtheinsurer'sservicesthroughan
95independentinsuranceproducer,andforwhichconsumernoticeisrequiredbylaw,
96includingsection407.1500,theinsurershallnotifytheproducersofrecordofallaffected
97consumersofthecybersecurityeventnolaterthanthetimeatwhichnoticeisprovided
98totheaffectedconsumers.Theinsurerisexcusedfromthisobligationforthose
99instancesinwhichitdoesnothavethecurrentproducerofrecordinformationforany
100individualconsumer.
375.1412.1.Thedirectorshallhavepowertoexamineandinvestigatetheaffairs
2ofanylicenseetodeterminewhetherthelicenseehasbeenorisengagedinanyconduct
3inviolationofsections375.1400to375.1427.Thispowerisinadditiontothepowersthe
4directorhasunderthelaw.Anysuchinvestigationorexaminationshallbeconducted
5undersection374.190or374.205.
6 2.Wheneverthedirectorhasreasontobelievethatalicenseehasbeenoris
7engagedinconductinthisstatethatviolatessections375.1400to375.1427,thedirector
8maytakeactionthatisnecessaryorappropriatetoenforcetheprovisionsofsections
9375.1400to375.1427.
375.1415.1.Anydocuments,materials,orotherinformationinthecontrolor
2possessionofthedepartmentthatarefurnishedbyalicenseeoranemployeeoragent
3thereofactingonbehalfofalicenseeundersubsection9ofsection375.1405or
4subsection2ofsection375.1410orthatisobtainedbythedirectorinaninvestigationor
5examinationundersection375.1412shallbeconfidentialbylawandprivileged,shallnot
6besubjecttodisclosureunderchapter610,shallnotbesubjecttosubpoena,andshall
7notbesubjecttodiscoveryoradmissibleinevidenceinanyprivatecivilaction.
8However,thedirectorisauthorizedtousethedocuments,materials,orother
9informationinthefurtheranceofanyregulatoryorlegalactionbroughtasapartof
10thedirector'sduties.
11 2.Neitherthedirectornoranypersonorentitywhoreceiveddocuments,
12materials,orotherinformationwhileactingundertheauthorityofthedirectorshallbe
13permittedorrequiredtotestifyinanyprivatecivilactionconcerninganyconfidential
14documents,materials,orinformationsubjecttosubsection1ofthissection.
15 3.Consistentwiththeinsurancedatasecurityact'sgoalofsafeguarding
16consumernonpublicinformation,thedirectororanypersonorentitywhoreceives
17documents,materials,orotherinformationwhileactingundertheauthorityofthe
18directorundersections375.1400to375.1427maysharesuchdocuments,materials,or
19otherinformationwithanotherstateorfederalgovernmentalagencyorofficerorthe
HCSHB436 11 20NationalAssociationofInsuranceCommissioners;providedthattherecipientagreesin
21writingtomaintaintheconfidentialityofsuchdocuments,materials,orother
22information,andhasverifiedinwritingthelegalauthoritytomaintainsuch
23confidentiality.Exceptaspermittedinthissubsection,neitherthedirectornorany
24personorentitywhoreceivesdocuments,materials,orotherinformationundersections
25375.1400to375.1427shallbepermittedto:
26 (1)Shareorotherwisereleasethedocuments,materials,orotherinformationto
27athirdparty;
28 (2)Shareorotherwisereleasethedocuments,materials,orotherinformationfor
29commercialuse;or
30 (3)Sellcybereventornonpublicinformationofanypersonorentity.
31 4.Inordertoassistintheperformanceofthedirector'sdutiesundersections
32375.1400to375.1427,thedirector:
33 (1)Mayreceivedocuments,materials,orinformation,includingotherwise
34confidentialandprivilegeddocuments,materials,orinformation,fromtheNational
35AssociationofInsuranceCommissioners,itsaffiliates,orsubsidiariesandfrom
36regulatoryandlawenforcementofficialsofotherforeignordomesticjurisdictions
37andshallmaintainasconfidentialorprivilegedanydocument,material,orinformation
38receivedwithnoticeortheunderstandingthatitisconfidentialorprivilegedunderthe
39lawsofthejurisdictionthatisthesourceofthedocument,material,orinformation;and
40 (2)Mayenterintoagreementsgoverningsharinganduseofinformation
41consistentwiththissubsection.
42 5.Nowaiverofanyapplicableprivilegeorclaimofconfidentialityinthe
43documents,materials,orinformationshalloccurasaresultofdisclosuretothedirector
44underthissectionorasaresultofsharingasauthorizedinsubsection3ofthissection.
45 6.Nothinginsections375.1400to375.1427shallprohibitthedirectorfrom
46releasingfinaladjudicatedactionsthatareopentopublicinspectionunderchapter610
47toadatabaseorotherclearinghouseservicemaintainedbytheNationalAssociationof
48InsuranceCommissioners,itsaffiliates,orsubsidiaries.
375.1417.1.Thefollowingexceptionsshallapplytosections375.1400to
2375.1427:
3 (1)Alicenseewithfewerthantenemployees,includinganyindependent
4contractors,isexemptfromtheprovisionsofsection375.1405;
5 (2)Alicenseesubjecttoandgovernedbytheprivacy,security,andbreach
6notificationrulesissuedbytheUnitedStatesDepartmentofHealthandHuman
7Services,45CFR160and164,establishedundertheHealthInsurancePortabilityand
8AccountabilityActof1996,Pub.L.104-191,andtheHealthInformationTechnologyfor
HCSHB436 12 9EconomicandClinicalHealthAct(HITECH),Pub.L.111-5,andthatmaintains
10nonpublicinformationinthesamemannerasprotectedhealthinformationshallbe
11deemedtocomplywiththerequirementsofsections375.1400to375.1427,exceptforthe
12directornotificationrequirementsinsubsections1and2ofsection375.1410;
13 (3)Anemployee,agent,representative,ordesigneeofalicensee,whoisalsoa
14licensee,isexemptfromsection375.1405andneednotdevelopitsowninformation
15securityprogramtotheextentthattheemployee,agent,representative,ordesigneeis
16coveredbytheinformationsecurityprogramoftheotherlicensee;
17 (4)Producersthathavefewerthanfiftyemployees;lessthanfivemilliondollars
18ingrossannualrevenue;orlessthantenmilliondollarsinyear-endtotalassets;and
19 (5)Alicenseeaffiliatedwithadepositoryinstitutionthatmaintainsan
20informationsecurityprogramincompliancewiththeInteragencyGuidelines
21EstablishingStandardsforSafeguardingCustomerInformation(Interagency
22Guidelines)assetforthunderSections501and505ofthefederalGramm-Leach-
23BlileyAct,Pub.L.106-102,shallbeconsideredtomeettherequirementsofsection
24375.1405andanyrules,regulations,orproceduresestablishedthereunder,provided
25thatthelicenseeproduces,uponrequest,documentationsatisfactorytothedirectorthat
26independentlyvalidatestheaffiliateddepositoryinstitution'sadoptionofaninformation
27securityprogramthatsatisfiestheinteragencyguidelines.
28 2.Intheeventthatalicenseeceasestoqualifyforanexception,suchlicensee
29shallhaveonehundredeightycalendardaystocomplywithsections375.1400to
30375.1427.
375.1420.Inthecaseofaviolationofsections375.1400to375.1427,alicensee
2maybesubjecttopenaltiesasprovidedbylaw,includingsections374.046,374.048,and
3374.049.
375.1422.Thedirectorofthedepartmentofcommerceandinsurancemay
2promulgaterulesasnecessaryfortheimplementationofsections375.1400to375.1427.
3Anyruleorportionofarule,asthattermisdefinedinsection536.010,thatiscreated
4undertheauthoritydelegatedinthissectionshallbecomeeffectiveonlyifitcomplies
5withandissubjecttoalloftheprovisionsofchapter536and,ifapplicable,section
6536.028.Thissectionandchapter536arenonseverableandifanyofthepowersvested
7withthegeneralassemblyunderchapter536toreview,todelaytheeffectivedate,orto
8disapproveandannularulearesubsequentlyheldunconstitutional,thenthegrantof
9rulemakingauthorityandanyruleproposedoradoptedafterAugust28,2025,shallbe
10invalidandvoid.
375.1425.Ifanyprovisionofsections375.1400to375.1427ortheapplication
2thereoftoanypersonorcircumstanceisforanyreasonheldtobeinvalid,theremainder
HCSHB436 13 3ofsections375.1400to375.1427andtheapplicationofsuchprovisiontootherpersons
4orcircumstancesshallnotbeaffectedthereby.
375.1427.Sections375.1400to375.1427shalltakeeffectonJanuary1,2026.
2LicenseesshallhaveuntilJanuary1,2027,toimplementsection375.1405anduntil
3January1,2028,toimplementsubsection6ofsection375.1405.
âś”
HCSHB436 14