Req. No. 391 Page 1 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
STATE OF OKLAHOMA
1st Session of the 59th Legislature (2023)
SENATE BILL 543 By: Montgomery
AS INTRODUCED
An Act relating to insurance data security; creating
the Insurance Data Security A ct; providing short
title; establishing act jurisdi ction; construing
provision; defining terms; requiring licensees to
develop data security program with certain
inclusions; establishing intent of security programs
created pursuant to ac t; directing licensee to
conduct risk assessment; directing licensee t o take
certain action following risk assessment result;
requiring certain su pervising boards to take certain
actions to implement program; requiring licensee to
contract with third-party service provider subject to
certain conditions; requiring licensee to maintain
updates and revisions to program; requiring licensee
develop incident response plan; requiring certain
reports be submitted to the Insurance Commissioner;
requiring insurer to maintain certain records for
specific time period; requiring investiga tion after
certain cybersecurity event; establishing
investigation process; requiring notification of
certain event to the Commissioner; requiring
compliance with certain state laws; pro viding for
certain exemption; providing for the Commissioner to
investigate certain licensees for certain violations;
providing for confidentialit y of certain information
relating to cybersecurity event; allowing
Commissioner to share certain data with national
association; construing provision; providing for rule
promulgation; providing certain exceptions to act;
establishing penalties; amending 51 O.S. 2021,
Section 24A.3, as last amended by Section 1, Chapter
402, O.S.L. 2022 (51 O. S. Supp. 2022, Section 24A.3),
which relates to the Oklahoma Open Records Act;
modifying definition; providing for codification; and
providing an effective date.
Req. No. 391 Page 2 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
SECTION 1. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 670 of Title 36, unless there is
created a duplication in numb ering, reads as follows:
This act shall be known and may be cited as the “Insurance Data
Security Act”.
SECTION 2. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 671 of Title 36, unless there is
created a duplication in numb ering, reads as follows:
A. Notwithstanding any other provision of law, the provisions
of this act shall be the exclusive state law for licensees subject
to the jurisdiction of the Insurance Commissioner for data security,
the investigation of a cybersecurity event, and notification to the
Commissioner.
B. This act shall not be construed to create or imply a private
cause of action for violations of its provisions.
SECTION 3. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 672 of Title 36, unless there is
created a duplication in numb ering, reads as follows:
As used in this act:
1. “Authorized individual” means an individual known to and
screened by the licensee and determined to be necessary and
Req. No. 391 Page 3 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
appropriate to have access to the nonpublic information held by the
licensee and its inform ation systems;
2. “Commissioner” means the Insurance Commissioner;
3. “Consumer” means an individual, including but not limited to
applicants, policyholders, insureds, beneficiaries, claimants, and
certificate holders, who is a resident of this state and whose
nonpublic information is in the possession, custody, or control of a
licensee;
4. “Cybersecurity event” means an event resulting in
unauthorized access to or disruption or misuse of an information
system or nonpublic information stored on the information system;
5. “Department” means the Insurance Department;
6. “Encrypted” means the transformation of data into a form
which results in a low probabil ity of assigning meaning without the
use of a protective process or key;
7. “Information security program ” means the administrative,
technical, and physical safeguards that a licensee u ses to access,
collect, distribute, process, protect, store, use, transmit, dispose
of, or otherwise handle nonpublic information;
8. “Information system” means a discrete set of electro nic
information resources organized for the collection, processing,
maintenance, use, sharing, dissemination or disposi tion of nonpublic
information, as well as any specialized system such as industrial or
Req. No. 391 Page 4 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
process controls systems, telephone switching and private branch
exchange systems, and environmental control systems;
9. “Licensee” means any person licensed, authorized to operate
or registered, or required to be licensed, authorized or registered
pursuant to Title 36 of the Oklahoma Statutes; provided, however,
that it shall not include a purchasing group or a risk rete ntion
group chartered and licensed in a stat e other than this state or a
person that is acting as an assuming insurer that is domiciled in
another state or jurisdiction;
10. “Multi-factor authentication” means authentication through
verification of at lea st two (2) of the following types of
authentication factors:
a. knowledge factors, such as a password ,
b. possession factors, such as a token or text message on
a mobile phone, or
c. inherence factors, such as a biometric characteristic;
11. “Non-public information” means electronic information that
is not publicly available and is:
a. business related information of a licensee, of which
the tampering with or unauthorized disclosure, acce ss,
or use of would cause a material adverse impact to the
business, operations, or security of the licensee ,
b. any information concerning a consumer that, because of
name, number, personal mark, or other identifier, can
Req. No. 391 Page 5 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
be used to identify him or her, in co mbination with
any one or more of the following data elements:
(1) social security number,
(2) driver license number or nondriver identification
card number,
(3) financial account number, credit , or debit card
number,
(4) any security code, access code , or password that
would permit access to a consumer’s financial
account, or
(5) biometric records, and
c. any information or data, except age or gender, in any
form or medium created by or derived from a health
care provider or a consumer that can be used to
identify a particular consumer and that relates to:
(1) the past, present, or future physical, mental , or
behavioral health or condition of any consumer or
a member of the family of the consumer,
(2) the provision of health care to any consumer , or
(3) payment for the provision of health care to any
consumer;
12. “Person” means any individual or any nongovernmental
entity including but not limited to any nongovernmental
partnership, corporation, branch, agency, or association;
Req. No. 391 Page 6 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
13. “Publicly available information” means any information that
a licensee has reasonable basis to believe is lawfully made
available to the general public from federal, state, or local
government records, widely distributed media, or disclosures to the
general public that are required to be made by federal, state, or
local law. For the purposes of this definition, a licensee has a
reasonable basis to believe that information is lawfully made
available to the general public if the licensee has taken steps to
determine:
a. that the information is of the type that is available
to the general public, and
b. whether a consumer can direct that the information not
be made available to the general public and, if so,
that such consumer has not done so; and
14. “Third-party service provider” means a person, not
otherwise defined as a licensee, that contracts with a licensee to
maintain, process, store, or otherwise is permitted access to
nonpublic information through its provision of services to the
licensee.
SECTION 4. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 673 of Title 36, unless there is
created a duplication in numb ering, reads as follows:
A. Each licensee in this state shall develop, implement, and
maintain a comprehensive written information security program based
Req. No. 391 Page 7 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
on the risk assessment of the licensee provided for in this act and
that contains administrative, technical, and physical safeguards for
the protection of nonpublic in formation and the information systems
of the licensee. The program shall be commensurate with the size and
complexity of the licensee, the nature and scope of the activities
of the licensee, including its use of third-party service providers,
and the sensitivity of the nonpublic information used by the
licensee or in the possession, custody, or control of the licensee.
B. An information security program of a licensee shall be
designed to:
1. Protect the security and confidentialit y of nonpublic
information and the security of the information systems;
2. Protect against any threats or hazards to the security or
integrity of nonpublic information and the information systems;
3. Protect against unauthorized access to or use of nonpu blic
information, and minimize the likelihood o f harm to any consumer;
and
4. Define and periodically reevaluate a schedule for retentio n
of nonpublic information and a mechanism for its destruction when no
longer needed.
C. The licensee shall:
1. Designate one or more employees, an affiliate, or an outside
vendor designated to act on behalf of the licensee who is
responsible for the information security program;
Req. No. 391 Page 8 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2. Identify reasonably foreseeable internal or external threats
that could result in unauthorized access, transmission, disclosure,
misuse, alteration, or destruction of nonpublic information including
the security of information systems and nonpublic infor mation that
are accessible to, or held by, third-party service providers;
3. Assess the likelihood and potential damage of these threats,
taking into consideration the sensitivity of the nonpublic
information;
4. Assess the sufficiency of policies, procedures, information
systems, and other safeguards in place to manage these threats,
including consideration of threats in each relevant area of the
operations of the li censee, including:
a. employee training and management,
b. information systems, including network and software
design, as well as information classification,
governance, processing, storage, transmission, and
disposal, and
c. detecting, preventing, and responding to attacks,
intrusions, or other systems failures; and
5. Implement information safeguards to manage the threats
identified in its ongoing assessment, and no less than annuall y,
assess the effectiveness of the key controls , systems, and
procedures of the safeguards.
Req. No. 391 Page 9 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
D. Based on the results of the risk assessment, the licensee
shall:
1. Design its information security program to mitigate the
identified risks, commensurate with the size and complexity of the
licensee, the nature and scope of the activities of the licensee
including its use of third-party service providers, and the
sensitivity of the nonpublic information used by the licensee or in
the possession, custody, or control of the licensee;
2. Determine and implement security measures deemed
appropriate, including:
a. place access controls on information systems
including controls to authenticate and permit access
only to authorized individuals to protect against the
unauthorized acquisition of nonpublic information,
b. identify and manage the data, personnel, devices,
systems, and facilities that enable the organization
to achieve business purposes in acco rdance with their
relative importance to business objectives and the
risk strategy of the organization,
c. restrict physical access to nonpublic information to
authorized individuals only,
d. protect by encryption or other appropriate means, all
nonpublic information while being transmitted over an
external network and all nonpublic information stored
Req. No. 391 Page 10 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
on a laptop computer or other portable computing or
storage device or media,
e. adopt secure development practices for in-house
developed applications utilized by the licensee,
f. modify the information system in accordance with the
information security program of the licensee,
g. utilize effective controls, which may include multi-
factor authentication procedures for any authorized
individual accessing nonpublic information,
h. regularly test and monitor systems and procedures to
detect actual and attempted attacks on, or intrusions
into, information systems,
i. include audit trails within the information security
program designed to detect and respond to
cybersecurity events and designed to reconstruct
material financial transactions sufficient to support
normal operations and obligations of the licensee,
j. implement measures to protect against destruction,
loss, or damage of nonpublic information due to
environmental hazards such as fire and water damage or
other catastrophic events or technological failures,
and
k. develop, implement and maintain procedures for the
secure disposal of nonpublic information in any format;
Req. No. 391 Page 11 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
3. Include cybersecurity risks in the enterprise risk management
process of the licensee;
4. Stay informed regarding emerging threats or vulnerabilities
and utilize reasonable security measures when sharing information
relative to the character of the sharing and the type of information
shared; and
5. Provide its personnel with cybersecurity awareness training
that is updated as necessary to reflect risks identified by the
licensee in the risk assessment.
E. If the licensee has a boa rd of directors, the board or an
appropriate committee of the board , at a minimum, within one year of
the effective date of thi s act, shall:
1. Require the executive manageme nt of the licensee or its
delegates to develop, implement, and maintain the infor mation
security program of the licensee;
2. Require the executive management of the licensee or its
delegates to report to the Insurance Commissioner in writing, at
least annually, the following information:
a. the overall status of the information securi ty program
and the compliance of the licensee with this act, and
b. material matters related to the information security
program, addressing issues such as risk assessment,
risk management and control deci sions, third-party
service provider arrangements, results of testing,
Req. No. 391 Page 12 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
cybersecurity events or violations and responses of
the management to those events or violations, and
recommendations for changes in the information
security program; and
3. If executive management delegates any of its
responsibilities, it shall oversee the development, implementation ,
and maintenance of the information security program of the licensee
prepared by the delegate or delegates and shall receive a report
from the delegate or delegates complying with the requirements of
the report to the board.
F. A licensee shall exercise due diligence in selecting its
third-party service provider and shall require t he provider to
implement appropriate administrat ive, technical, and physical
measures to protect and secure the information syst ems and nonpublic
information that are accessible to, or held by, the third-party
service provider.
G. The licensee shall monito r, evaluate, and adjust, as
appropriate, the inf ormation security program co nsistent with any
relevant changes in technology, t he sensitivity of its nonpublic
information, internal o r external threats to information and the
changing business arrangements o f the licensee, such as mergers and
acquisitions, alliances and joint ventur es, outsourcing
arrangements, and changes to inform ation systems.
Req. No. 391 Page 13 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
H. As part of its information s ecurity program, each licensee
shall establish a written incident response plan de signed to
promptly respond to, and recover from, any cybersecurity event tha t
compromises the conf identiality, integrity, or availability of
nonpublic information in its possession, the information systems of
the licensee, or the continuing functionality of any aspect of the
business or operations of the licensee.
The incident response plan shall addres s the following areas:
1. The internal process for responding to a cybersecurity
event;
2. The goals of the incident response plan;
3. The definition of cl ear roles, responsibilities , and levels
of decision-making authority;
4. External and internal com munications and information
sharing;
5. Identification of requirements for the remediation of any
identified weaknesses in information systems and associated
controls;
6. Documentation and reporting regarding cybersecurity events
and related incident res ponse activities; and
7. The evaluation and revision as necessary of the incident
response plan following a cybersecurity event.
I. Annually, each insurer domiciled in this state shall submit
to the Commissioner a written statement by March 1, certifying that
Req. No. 391 Page 14 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
the insurer complies with the requirements set forth in this section.
Each insurer shall maintain, for examination by the Insurance
Department, all records, schedules, and data supporting this
certificate for a period of five (5) years. To the extent an
insurer has identified areas, systems, or processes that require
material improvement, updating, or redesign, the insurer shall
document the identification and the remedial efforts planned and
underway to address such areas, systems, or processes. The
documentation shall be available for inspection by the Commissioner
upon request.
SECTION 5. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 674 of Title 36, unless there is
created a duplication in numbering, reads as follows:
A. If the licensee learns that a cybersecurity event has or
may have occurred, the licensee, or an outside vendor or service
provider designated to act on behalf of the licensee, shall conduct
a prompt investigation.
B. During the investigation, the licensee, or an outs ide vendor
or service provider des ignated to act on behalf of the licensee,
shall, at a minimum:
1. Determine whether a cybersecurity event has occurred;
2. Assess the nature and scop e of the cybersecurity eve nt;
3. Identify any nonpublic information that may have been
involved in the cybersecurity event; and
Req. No. 391 Page 15 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
4. Perform or oversee r easonable measures to restore the
security of the information systems compromised in the cybersecurity
event in order to prevent further unauthorized acquisition, release
or use of nonpublic information in th e possession, custody, or
control of the licensee .
C. If the licensee learns that a cybersecurity event has or may
have occurred in a system maintaine d by a third-party service
provider, the licensee shall complete the steps listed in subsection
B of this section or confirm and document that the third -party
service provider has completed those steps.
D. The licensee shall maintain records concerning all
cybersecurity events for a period of at least five (5) years from
the date of the cybersecurity event and shall produce those records
upon request by the Insurance Commissioner.
SECTION 6. NEW LAW A new section of law to be codifi ed
in the Oklahoma Statutes as Section 675 of Title 36, unless there is
created a duplication in numb ering, reads as follows:
A. Every licensee shall notify the Insurance Commissioner
without unreasonable delay, but not later than three business days,
from a determination that a cybersecurity event involving nonpublic
information that is in the possession of a licensee has occurred
when either of the following criteria has been met:
1. This state is the state of domicile of the licensee, in the
case of an insurer, or this state i s the home state of the licensee,
Req. No. 391 Page 16 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
in the case of a producer, as those terms are defined in the
Oklahoma Producer Licensing Act, Sections 1435.1 thro ugh 1435.41 of
Title 36 of the Oklahoma Statutes, and the cybersecurity event has a
reasonable likelihood of materially harming any material part of the
normal operations of the licensee or any consumer residing in this
state; or
2. The licensee reasonably believes that the nonpublic
information involved is of two hundred fifty (250) or more consumers
residing in this state and is either of the following:
a. a cybersecurity event impacting the licensee of which
notice is required to be provided to any government
body, self-regulatory agency, or any other supervisory
body pursuant to any state or federal law, or
b. a cybersecurity event that has a reasonable li kelihood
of materially harming:
(1) any consumer residing in this state , or
(2) any material part of the normal operation or
operations of the licensee .
B. The licensee making the n otification required in su bsection
A of this section shall provide as much of the following information
as possible, electronically in the manner and form prescribed by the
Commissioner, along with any applicable fees . The licensee shall
have a continuing obligation to update and s upplement initial and
subsequent notifications t o the Commissioner regarding material
Req. No. 391 Page 17 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
changes to previously provided information relating to the
cybersecurity event. The licensee shall provide:
1. Date of the cybersecurity even t;
2. Description of how t he information was exposed, lost,
stolen, or breached including the specific roles and
responsibilities of third-party service providers, if any;
3. How the cybersecurity event was discovered;
4. Whether any lost, stolen , or breached information has been
recovered and, if so, how this was done;
5. The identity of the source of the cybersecurity event;
6. Whether the licensee has filed a police report or has
notified any regulatory, government , or law enforcement agencies
and, if so, when such notification was provided;
7. Description of the specific ty pes of information acquired
without authorization. The term “specific types of information”
means particular data elements including, but not limited to, types
of medical information, financial information, o r information
allowing identification of the con sumer;
8. The period during which the information system was
compromised by the cybersecurity event;
9. The number of total consumers in this state affected by the
cybersecurity event. The licensee shall p rovide the best estimate
in the initial report t o the Commissioner and update this estimate
Req. No. 391 Page 18 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
with each subsequent report to the Commissioner pursuant to this
section;
10. The results of any internal review identifying a lapse in
either automated controls o r internal procedures, or confirming that
all automated controls or internal procedures were followed;
11. Description of efforts being undertaken to remediate the
situation which permitted the cybersecurity event to occur;
12. A copy of the privacy policy of the licensee and a
statement outlining the steps the licensee will take to investigate
and notify consumers affected by the cybersecurity event; and
13. Name of a contact person who is both familiar with the
cybersecurity event and authorized to act for the licensee.
C. A licensee shall comply w ith the procedures of the Security
Breach Notification Act, Section 161 et seq. of Title 24 of the
Oklahoma Statutes, to notify affected consumers and provide a copy
of the notice sent to consumers under that statute to the
Commissioner, when a licensee is required to notify the Commissioner
under subsection A of this section.
D. 1. In the case of a cybersecurity event in a system
maintained by a third -party service provider, o f which the licensee
has become aware, the licensee shall treat the event as it would
under subsection A of this section unless the third -party service
provider provides the notice required under subsection A of this
section to the Commissioner and the lic ensee.
Req. No. 391 Page 19 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2. The computation of de adlines of the licensee shall begin on
the day after the third-party service provider notifies the licensee
of the cybersecurity event or the licensee otherwise has actual
knowledge of the cybersecurity event, whichever is s ooner.
3. Nothing in this act sh all prevent or abrogate an agreement
between a licensee and another licensee, a third -party service
provider, or any other party to fulfill any of the investigation
requirements impose or notice requirements imposed under this act.
E. 1. In the case of a cybersecurity event involving nonpublic
information that is used by the licensee that is acting as an
assuming insurer, or in the possession, custody , or control of a
licensee, that is acting as an ass uming insurer and tha t does not
have a direct contractua l relationship with the affected consumers,
the assuming insurer shall notify its affected ceding insurers and
the Commissioner of its state of domicile within three (3) business
days of making the determination that a cy bersecurity event has
occurred. The ceding insurers that have a direct contractual
relationship with affected consumers shall fulfill the consumer
notification requirements imposed under the Security Breach
Notification Act, Section 161 et seq. of Title 2 4 of the Oklahoma
Statutes, and any other notification requirements relating to a
cybersecurity event imposed under this section.
2. In the case of a cybersecurity event involving nonpublic
information that is in the possession, custody, or control of a
Req. No. 391 Page 20 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
third-party service provider of a lice nsee that is an assuming
insurer, the assuming i nsurer shall notify its affected ceding
insurers and the Commissioner of its state of domicile within three
(3) business days of receiving notice from its third -party service
provider that a cybersecurity eve nt has occurred. The ceding
insurers that have a direct contractual relationship with affected
consumers shall fulfill the consumer notification requirements
imposed under Security Breach Notification Act, Section 161 et seq.
of Title 24 of the Oklahoma St atutes, and any other notification
requirements relating to a cybersecurity event imposed under this
section.
F. In the case of a cybersecurity event involving nonpublic
information that is in the possession, custody , or control of a
licensee that is an ins urer or its third-party service provider for
which a consumer accessed the services of the insurer through an
independent insurance producer, and for which consumer not ice is
required by this act or the Security Brea ch Notification Act,
Section 161 et seq. of Title 24 of the Oklahoma Statutes, the
insurer shall notify the producers of record of all affected
consumers of the cybersecurity event no later than the time at which
notice is provided to the affected consumer s. The insurer is
excused from this obl igation for any producers who are not
authorized by law or contract to sell, solicit , or negotiate on
behalf of the insurer, and in those instances in which the insurer
Req. No. 391 Page 21 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
does not have the current producer of record in formation for an
individual consumer. Any licensee acting as an assuming insurer
shall have no other notice obligations relating to a cybersecurity
event or other data breach under this section or any other law of
this state.
SECTION 7. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 676 of Title 36, unless there is
created a duplication in numb ering, reads as follows:
A. The Insurance Commissioner shall have power to examine and
investigate the affairs of any licensee to determine whether the
licensee has been or is engaged in any conduct in violation of the
provisions of this act or any rules promulgated thereto . This power
is in addition to the powers which the Commissioner has under
applicable provisions of the Insurance Code including, but not
limited to, Sections 309.1 through 309.6, 332, and 1250.4 of Title
36 of the Oklahoma Statutes .
B. Whenever the Commissioner has reason to believe that a
licensee has been or is engaged in conduct in this state that
violates any provision of this act, the Commissioner may take action
that is necessary or appropriate to enforce the provisi ons.
SECTION 8. NEW LAW A new section of law to be codifi ed
in the Oklahoma Statutes as Section 677 of Title 36, unless there is
created a duplication in numbering, reads as follows:
Req. No. 391 Page 22 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
A. Any documents, materials , or other information in the
control or possession of the Insurance Department that are furnished
by a licensee or an employee or agent there of acting on behalf of a
licensee pursuant to the provisions of Section 4 and Section 6 of
this act or that are obtained by the Insuran ce Commissioner in an
investigation or examinati on pursuant to Section 7 of this act shall
be confidential by law and pri vileged, shall not be subject to the
Oklahoma Open Records Act, shall not be subject to subpoena, and
shall not be subject to discover y or admissible in evidence in any
private civil action. However, the Commissioner is authorized to
use the documents, materials, or other information in the
furtherance of any regulatory or legal action brought as a part of
the Commissioner’s duties. The Commissioner shall no t otherwise
make the documents, materials, or other information public without
the prior written consent of the licensee.
B. Neither the Commissioner nor any person who received
documents, materials , or other information while acting under the
authority of the Commissioner shall b e permitted or required to
testify in any private civil action concerning any confidential
documents, materials, or information subject to subsection A of this
section.
C. In order to assist in the perf ormance of the duties of the
Commissioner under this act, the Commissioner:
Req. No. 391 Page 23 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1. May share documents, materials , or other information
including the confidential and privil eged documents, materials, or
information subject to subsection A of this section, with other
state, federal, and international regulatory age ncies, with the
National Association of Insurance Commissioners and its affiliates
or subsidiaries and with state, f ederal, and international law
enforcement authorities; provided, that the recipient agrees in
writing to maintain the confidentiality and pri vileged status of the
document, material, or other information;
2. May receive documents, materials , or information including
otherwise confidential and privileged documents, materials , or
information, from the National Association of Insurance
Commissioners, its affiliates or subsidiaries , and from regulatory
and law enforcement officials of other foreign or domestic
jurisdictions, and shall maintain as confidential or privileged any
document, material, or information received with notice or the
understanding that it is confidential or privileged under the laws
of the jurisdiction that is the source of the document, materi al, or
information;
3. May share documents, materials, or other information subject
to subsection A of this section, with a third-party consultant or
vendor; provided, the consultant agrees in writing to maintain the
confidentiality and privileged status of the document, material, or
other information; and
Req. No. 391 Page 24 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
4. May enter into agreements governing sharing and use of
information consistent with this subsection.
D. No waiver of any applicable privilege or claim of
confidentiality in the documents, materials, or information shall
occur as a result of disclosure to the Insurance Commissioner under
this section or as a result of sharing as authorized in subsection C
of this section.
E. Nothing in this act shall prohibit the Commissioner from
releasing final, adjudicated actions that are open to public
inspection pursuant to the Oklahoma Open Records Act, to a database
or other clearinghouse service maintained by the National
Association of Insurance Commissioners, its affiliates, or
subsidiaries.
F. Documents, materials, or other information in the possession
or control of the National Association of Insur ance Commissioners or
a third-party consultant or vendor pursuant to this act shall be
construed to be public information, shall not be subject to the
Oklahoma Open Records Act, shall not be subject to subpoena, and
shall not be subject to discovery or adm issible as evidence in any
private civil action.
SECTION 9. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Sect ion 678 of Title 36, unless there is
created a duplication in numbering, reads as follows:
Req. No. 391 Page 25 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
A. The Insurance Commissioner may promulgate any rules
necessary to carry out the provisions of this section.
B. 1. The following exceptions shall apply to this a ct:
a. a licensee with less than Five Million Dollars
($5,000,000.00) in gross annual revenue, is exempt
from this act,
b. a licensee subject to the Health Insurance Portability
and Accountability Act, Pub . L. 104–191, 110 Stat.
1936, as amended, that has established and maintains
an information security program pursuant to such
statutes, rules, regulations, procedures , or
guidelines established thereunder, will be considered
to meet the requirements of Section 4 of this act,
provided that the licensee is compliant with and
submits a written statement to the Commission er
certifying its compliance with, the same , and
c. an employee, agent, repre sentative, or designee of a
licensee, who is also a licensee, is exempt from this
act and shall not be required to d evelop their own
information security program to the extent that the
employee, agent, representative , or designee is
covered by the information security program of the
licensee.
Req. No. 391 Page 26 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2. If a licensee ceases to qualify for an exception, the
licensee shall have one hundred eighty (180) days to comply with the
provisions of this act.
C. In the case of a violation of this act, a licensee may be
penalized in accordance with any applicable sections of the
Insurance Code, including, but not limited to, Section 908 of Title
36 of the Oklahoma Statutes, or any other provisi on providing for
penalties that the licensee is subject to under the license or
permit of the licensee. Nothing in this act shall be construed to
impose any civil liability for any violation of this act or omission
to act by the licensee or employees of the license e.
D. The provisions of this act shall take precedence over any
other state laws applicable to licensees for data security and the
investigation of a cybersecurity event.
SECTION 10. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 679 of Title 36, unless there is
created a duplication in numb ering, reads as follows:
Licensees shall have one (1) year from the effective dat e of
this act to implement Section 4 of this act and two (2) years from
the effective date of this act to implement subsection F of Section
3 of this act.
SECTION 11. AMENDATORY 51 O. S. 2021, Section 24A.3, as
last amended by Secti on 1, Chapter 402, O.S.L. 2022 (51 O.S. Supp.
2022, Section 24A.3), is amended to read as follows:
Req. No. 391 Page 27 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Section 24A.3. As used in the Oklahoma Open Records Act:
1. “Record” means all documents including, but not limited to,
any book, paper, photograph, microf ilm, data files created by or
used with computer software, computer tape, disk, record, sound
recording, film recording, video record or other material regardless
of physical form or characteristic, created b y, received by, under
the authority of, or comin g into the custody, control or possession
of public officials, public bodies or their representatives in
connection with the transaction of public bus iness, the expenditure
of public funds or the administerin g of public property. “Record”
does not mean:
a. computer software,
b. nongovernment personal effects,
c. unless public disclosure is required by other laws or
regulations, vehicle movement records of the Oklahoma
Transportation Authority obtained in conn ection with
the Authority’s electronic toll coll ection system,
d. personal financial information, credit reports or
other financial data obtained by or submitted to a
public body for the purpose of evaluating credit
worthiness, obtaining a license, permit or for the
purpose of becoming qualified to cont ract with a
public body,
Req. No. 391 Page 28 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
e. any digital audio/video recordings of the toll
collection and safeguarding activities of the Oklahoma
Transportation Authority,
f. any personal information provided by a guest at a ny
facility owned or operated by the Oklahoma To urism and
Recreation Department to obtain any service at t he
facility or by a purchaser of a product sold by or
through the Oklahoma Tourism and Recreation
Department,
g. a Department of Defense Form 214 (DD Form 214) filed
with a county clerk including any DD Form 214 filed
before July 1, 2002,
h. except as provided for in Section 2 -110 of Title 47 of
the Oklahoma Statutes,
(1) any record in connection with a Motor Vehicle
Report issued by the Department of Public Safety,
as prescribed in Secti on 6-117 of Title 47 of the
Oklahoma Statutes, or
(2) personal information within driver records, as
defined by the Driver ’s Privacy Protection Act,
18 United States Code, Sections 2721 through
2725, which are stored and maintained by the
Department of Public Safety, or
Req. No. 391 Page 29 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
i. any portion of any document or information provided to
an agency or entity of the state or a political
subdivision to obtain licensure under the laws of this
state or a political subdivision that contai ns an
applicant’s personal address, personal pho ne number,
personal electronic mail address or other contact
information. Provided, how ever, lists of persons
licensed, the existence of a license of a person, or a
business or commercial address, or other b usiness or
commercial information disclosable un der state law
submitted with an application for licensure shall be
public record, or
j. information relating to a cybersecurity event reported
to the Insurance Commissioner pursuant to the
Insurance Data Security Act;
2. “Public body” shall include, but not be limited to, any
office, department, board, bureau, commission, agency, trusteesh ip,
authority, council, committee, trust or any entity cr eated by a
trust, county, city, village, town, township, distri ct, school
district, fair board, court, executive office, advisory group, task
force, study group or any subdivision thereof, supported in whole or
in part by public funds or entrusted with th e expenditure of public
funds or administering or operating pub lic property, and all
committees, or subcommittees thereof. Except for the records
Req. No. 391 Page 30 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
required by Section 24A.4 of this title, “public body” does not mean
judges, justices, the Council on Judicia l Complaints, the
Legislature or legislators. “Public body” shall not include an
organization that is exempt from federal income tax under Section
501(c)(3) of the Internal Revenue Code of 1986, as amended, and
whose sole beneficiary is a college or university, or an affiliated
entity of the college or university, that is a member of The
Oklahoma State System of Higher Education. Such organization shall
not receive direct appropria tions from the Oklahoma Legislature.
The following persons shall not b e eligible to serve as a voting
member of the governing bo ard of the organization:
a. a member, officer, or employee of the Oklahoma State
Regents for Higher Education,
b. a member of the board of regents or other governing
board of the college or university th at is the sole
beneficiary of the organization, or
c. an officer or employee of the college or university
that is the sole beneficiary of the organization;
3. “Public office” means the physical lo cation where public
bodies conduct business or keep record s;
4. “Public official” means any official or employee of any
public body as defined herein; and
5. “Law enforcement agency” means any public body charged with
enforcing state or local criminal laws and initiating criminal
Req. No. 391 Page 31 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
prosecutions including, but not limited to, police dep artments,
county sheriffs, the Departm ent of Public Safety, the Oklahoma State
Bureau of Narcotics and Dangerous Drugs Control, the Alcoholic
Beverage Laws Enforcement Commi ssion, and the Oklahoma State Bureau
of Investigation.
SECTION 12. This act shall become effective November 1, 20 23.
59-1-391 RD 1/17/2023 5:32:58 PM