OK
Oklahoma Senate Bill SB543

Oklahoma 2023 Regular Session

Oklahoma Senate Bill SB543 Compare Versions

OldNewDifferences
11
22
3-SB543 HFLR Page 1
4-BOLD FACE denotes Committee Amendments. 1
3+ENGR. S. B. NO. 543 Page 1 1
54 2
65 3
76 4
87 5
98 6
109 7
1110 8
1211 9
1312 10
1413 11
1514 12
1615 13
1716 14
1817 15
1918 16
2019 17
2120 18
2221 19
2322 20
2423 21
2524 22
2625 23
2726 24
2827
29-HOUSE OF REPRESENTATIVES - FLOOR VERSION
30-
31-STATE OF OKLAHOMA
32-
33-1st Session of the 59th Legislature (2023)
34-
35-COMMITTEE SUBSTITUTE
36-FOR ENGROSSED
37-SENATE BILL NO. 543 By: Montgomery of the Senate
28+ENGROSSED SENATE
29+BILL NO. 543 By: Montgomery of the Senate
3830
3931 and
4032
4133 Sneed of the House
4234
4335
4436
45-
46-
47-COMMITTEE SUBSTITUTE
4837
4938 An Act relating to insurance data security; creating
5039 the Insurance Data Security A ct; providing short
5140 title; establishing act jurisdi ction; construing
5241 provision; defining terms; requiring licensees to
5342 develop data security program with certain
5443 inclusions; establishing intent of security programs
5544 created pursuant to act; directing licensee to
5645 conduct risk assessment; directing licensee t o take
5746 certain action following risk assessment result;
5847 requiring certain su pervising boards to take certain
5948 actions to implement program; requiring licensee to
6049 contract with third-party service provider subject to
6150 certain conditions; requiring licensee to maintain
6251 updates and revisions to program; requiring licensee
6352 develop incident response plan; requiring certain
6453 reports be submitted to the Insurance Commissioner;
6554 requiring insurer to maintain certain records for
6655 specific time period; requiring investiga tion after
6756 certain cybersecurity event; establishing
6857 investigation process; requiring notification of
6958 certain event to the Commissioner; requiring
7059 compliance with certain state laws; providing for
7160 certain exemption; providing for the Commissioner to
7261 investigate certain license es for certain violations;
7362 providing for confidentialit y of certain information
7463 relating to cybersecurity event; allowing
7564 Commissioner to share certain data with national
65+association; construing provision; providing for rule
66+promulgation; providing certain exceptions to act;
67+establishing penalties; amending 51 O.S. 2021,
68+Section 24A.3, as last amended by Section 1, Chapter
69+402, O.S.L. 2022 (51 O. S. Supp. 2022, Section 24A.3),
70+which relates to the Oklahoma Open Records Act;
71+modifying definition; updating statutory language;
72+providing for codification; and providing a n
73+effective date.
7674
77-SB543 HFLR Page 2
78-BOLD FACE denotes Committee Amendments. 1
75+
76+ENGR. S. B. NO. 543 Page 2 1
7977 2
8078 3
8179 4
8280 5
8381 6
8482 7
8583 8
8684 9
8785 10
8886 11
8987 12
9088 13
9189 14
9290 15
9391 16
9492 17
9593 18
9694 19
9795 20
9896 21
9997 22
10098 23
10199 24
102100
103-association; construing provision; providing for rule
104-promulgation; providing certain exceptions to act;
105-establishing penalties; amending 51 O.S. 2021,
106-Section 24A.3, as last amended by Section 1, Chapter
107-402, O.S.L. 2022 (51 O.S. Supp. 2022, Section 24A.3),
108-which relates to the Oklahoma Open Records Act;
109-modifying definition; updating statutory language;
110-providing for codification; and providing a n
111-effective date.
112-
113101
114102
115103
116104
117105 BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
118106 SECTION 1. NEW LAW A new section of law to be codified
119107 in the Oklahoma Statutes as Section 670 of Title 36, unless there is
120108 created a duplication in numb ering, reads as follows:
121109 This act shall be known and may be cited as the “Insurance Data
122110 Security Act”.
123111 SECTION 2. NEW LAW A new section of law to be codified
124112 in the Oklahoma Statutes as Section 671 of Title 36, unless there is
125113 created a duplication in numb ering, reads as follows:
126114 A. Notwithstanding any other provision o f law, the provisions
127115 of this act shall be the exclusive state law for licensees subject
128116 to the jurisdiction of the Insurance Commissioner for data security,
129117 the investigation of a cybersecurity event, and notification to the
130118 Commissioner.
131119 B. This act shall not be construed to creat e or imply a private
132120 cause of action for violations of its provisions.
121+SECTION 3. NEW LAW A new section of law to be codified
122+in the Oklahoma Statutes as Section 672 of Title 36, unless there is
123+created a duplication in numbering, reads as follows:
124+As used in this act:
125+1. “Authorized individual” means an individual known to and
126+screened by the licensee and determined to be necessary and
133127
134-SB543 HFLR Page 3
135-BOLD FACE denotes Committee Amendments. 1
128+ENGR. S. B. NO. 543 Page 3 1
136129 2
137130 3
138131 4
139132 5
140133 6
141134 7
142135 8
143136 9
144137 10
145138 11
146139 12
147140 13
148141 14
149142 15
150143 16
151144 17
152145 18
153146 19
154147 20
155148 21
156149 22
157150 23
158151 24
159152
160-SECTION 3. NEW LAW A new section of law to be codified
161-in the Oklahoma Statutes as Section 672 of Title 36, unless there is
162-created a duplication in numbering, reads as follows:
163-As used in this act:
164-1. “Authorized individual” means an individual known to and
165-screened by the licensee and determined to be necessary and
166153 appropriate to have access to the nonpublic information held by the
167154 licensee and its inform ation systems;
168155 2. “Commissioner” means the Insurance Commissioner;
169156 3. “Consumer” means an individual, including but not limited to
170157 applicants, policyholders, insureds, beneficiaries, claimants, and
171158 certificate holders, who is a resident of this state and whose
172159 nonpublic information is in the possession, custody, or control of a
173160 licensee;
174161 4. “Cybersecurity event” means an event resulting in
175162 unauthorized access to or disruption or misuse of an information
176163 system or nonpublic information stored on the information system.
177164 The term cybersecurity event shall not include the unauthorized
178165 acquisition of encrypted nonpublic information if the encryption,
179166 process, or key is not also acquired, released , or used without
180167 authorization. Cybersecurity event shall not include an event in
181168 which the licensee has determined tha t the nonpublic info rmation
182169 accessed by an unauthorized person has not been used or released and
183170 has been returned or destroyed ;
171+5. “Department” means the Insurance Department;
172+6. “Encrypted” means the transformation of data into a form
173+which results in a low probability of assigning meaning without the
174+use of a protective process or key;
175+7. “Information security program ” means the administrative,
176+technical, and physical safeguards that a licensee u ses to access,
184177
185-SB543 HFLR Page 4
186-BOLD FACE denotes Committee Amendments. 1
178+ENGR. S. B. NO. 543 Page 4 1
187179 2
188180 3
189181 4
190182 5
191183 6
192184 7
193185 8
194186 9
195187 10
196188 11
197189 12
198190 13
199191 14
200192 15
201193 16
202194 17
203195 18
204196 19
205197 20
206198 21
207199 22
208200 23
209201 24
210202
211-5. “Department” means the Insurance Department;
212-6. “Encrypted” means the transformation of data into a form
213-which results in a low probability of assigning meaning without the
214-use of a protective process or key;
215-7. “Information security program ” means the administrative,
216-technical, and physical safeguards that a licensee u ses to access,
217203 collect, distribute, process, protect, st ore, use, transmit, dispose
218204 of, or otherwise handle nonpublic information;
219205 8. “Information system” means a discrete set of electro nic
220206 information resources organized for the collection, processing,
221207 maintenance, use, sharing, dissemination or disposi tion of nonpublic
222208 information, as well as any specialized system such as industrial or
223209 process controls systems, telephone switching and private branch
224210 exchange systems, and environmental control systems;
225211 9. “Licensee” means any person licensed, authorized to o perate,
226212 or registered, or required to be licensed, authorized to operate, or
227213 registered, pursuant to Title 36 of the Oklahoma Statutes; provided,
228214 however, that it shall not include a purchasing group or a risk
229215 retention group chartered and licensed in a st ate other than this
230216 state or a person that is acting as an assuming insurer that is
231217 domiciled in another state or jurisdiction;
232218 10. “Multi-factor authentication” means authentication through
233219 verification of at least two (2) of the following types of
234220 authentication factors:
221+a. knowledge factors, such as a password ,
222+b. possession factors, such as a token or text message on
223+a mobile phone, or
224+c. inherence factors, such as a biometric characteristic;
225+11. “Nonpublic information” means electronic information th at
226+is not publicly available and is:
235227
236-SB543 HFLR Page 5
237-BOLD FACE denotes Committee Amendments. 1
228+ENGR. S. B. NO. 543 Page 5 1
238229 2
239230 3
240231 4
241232 5
242233 6
243234 7
244235 8
245236 9
246237 10
247238 11
248239 12
249240 13
250241 14
251242 15
252243 16
253244 17
254245 18
255246 19
256247 20
257248 21
258249 22
259250 23
260251 24
261252
262-a. knowledge factors, such as a password ,
263-b. possession factors, such as a token or text message on
264-a mobile phone, or
265-c. inherence factors, such as a biometric characteristic;
266-11. “Nonpublic information” means electronic information th at
267-is not publicly available and is:
268253 a. business related information of a licensee, of which
269254 the tampering with or unauthorized disclosure, acce ss,
270255 or use of would cause a material adverse impact to the
271256 business, operations, or security of the licensee ,
272257 b. any information concerning a consumer that, because of
273258 name, number, personal mark, or other identifier, can
274259 be used to identify him or her, in co mbination with
275260 any one or more of the following data elements:
276261 (1) social security number,
277262 (2) driver license number or nondriver identification
278263 card number,
279264 (3) financial account number, credit card number, or
280265 debit card number,
281266 (4) any security code, access code , or password that
282267 would permit access to a consumer’s financial
283268 account, or
284269 (5) biometric records, or
270+c. any information or data, except age or gender, in any
271+form or medium created by or derived from a health
272+care provider or a consumer that can be used to
273+identify a particular consumer and that relates to:
274+(1) the past, present, or future physical, men tal, or
275+behavioral health or condition of any consumer or
276+a member of the family of the consumer,
285277
286-SB543 HFLR Page 6
287-BOLD FACE denotes Committee Amendments. 1
278+ENGR. S. B. NO. 543 Page 6 1
288279 2
289280 3
290281 4
291282 5
292283 6
293284 7
294285 8
295286 9
296287 10
297288 11
298289 12
299290 13
300291 14
301292 15
302293 16
303294 17
304295 18
305296 19
306297 20
307298 21
308299 22
309300 23
310301 24
311302
312-c. any information or data, except age or gender, in any
313-form or medium created by or derived from a health
314-care provider or a consumer th at can be used to
315-identify a particular consumer and that relates to:
316-(1) the past, present, or future physical, men tal, or
317-behavioral health or condition of any consumer or
318-a member of the family of the consumer,
319303 (2) the provision of health care to any consumer , or
320304 (3) payment for the provision of health care to any
321305 consumer;
322306 12. “Person” means any individual or any nongovernmental
323307 entity including but not limited to any nongovernmental
324308 partnership, corporation, branch, agency, or association;
325309 13. “Publicly available information” means any information that
326310 a licensee has reasonable basis to believe is lawfully made
327311 available to the gener al public from federal, state, or local
328312 government records, widely distributed media, or disclosures to the
329313 general public that are required to be made by federal, state, or
330314 local law. For the purposes of this definition, a licensee has a
331315 reasonable basis to believe that information is lawfully made
332316 available to the general public if the licensee has taken steps to
333317 determine:
334318 a. that the information is of the type that is available
335319 to the general public, and
320+b. whether a consumer can direct that the information not
321+be made available to the general public and, if so,
322+that such consumer has not done so; and
323+14. “Third-party service provider” means a person, not
324+otherwise defined as a licensee, that contracts with a licensee to
325+maintain, process, store, or otherwise is permitted access to
336326
337-SB543 HFLR Page 7
338-BOLD FACE denotes Committee Amendments. 1
327+ENGR. S. B. NO. 543 Page 7 1
339328 2
340329 3
341330 4
342331 5
343332 6
344333 7
345334 8
346335 9
347336 10
348337 11
349338 12
350339 13
351340 14
352341 15
353342 16
354343 17
355344 18
356345 19
357346 20
358347 21
359348 22
360349 23
361350 24
362351
363-b. whether a consumer can direct that the information not
364-be made available to the general public and, if so,
365-that such consumer has not done so; and
366-14. “Third-party service provider” means a person, not
367-otherwise defined as a licensee, that contracts with a licensee to
368-maintain, process, store, or otherwise is permitted access to
369352 nonpublic information through its provision of services to the
370353 licensee.
371354 SECTION 4. NEW LAW A new section of law to be codified
372355 in the Oklahoma Statutes as Section 673 of Title 36, unless there is
373356 created a duplication in numbering, reads as follows:
374357 A. Each licensee in this state shall develop, implement, and
375358 maintain a comprehensive written information security program based
376359 on the risk assessment of the licensee provided for in t his act and
377360 that contains administrative, technical, and physical safeguards for
378361 the protection of nonpublic in formation and the information systems
379362 of the licensee. The program shall be commensurate with the size and
380363 complexity of the licensee, the nature and scope of the activities
381364 of the licensee, including its use of third-party service providers,
382365 and the sensitivity of the nonpublic information used by the
383366 licensee or in the possession, custody, or control of the licensee.
384367 B. An information security program of a license e shall be
385368 designed to:
369+1. Protect the security and confidentialit y of nonpublic
370+information and the security of the information systems;
371+2. Protect against any threats or hazards to the security or
372+integrity of nonpublic information and the information systems;
373+3. Protect against unauthorized access to or use of nonpu blic
374+information, and minimize the likelihood o f harm to any consumer;
375+and
386376
387-SB543 HFLR Page 8
388-BOLD FACE denotes Committee Amendments. 1
377+ENGR. S. B. NO. 543 Page 8 1
389378 2
390379 3
391380 4
392381 5
393382 6
394383 7
395384 8
396385 9
397386 10
398387 11
399388 12
400389 13
401390 14
402391 15
403392 16
404393 17
405394 18
406395 19
407396 20
408397 21
409398 22
410399 23
411400 24
412401
413-1. Protect the security and confidentialit y of nonpublic
414-information and the security of the information systems;
415-2. Protect against any threats or hazards to the security or
416-integrity of nonpublic information and the information systems;
417-3. Protect against unauthorized access to or use of nonpu blic
418-information, and minimize the likelihood o f harm to any consumer;
419-and
420402 4. Define and periodically reevaluate a schedule for retention
421403 of nonpublic information and a mechanism for its destruction when no
422404 longer needed.
423405 C. The licensee shall:
424406 1. Designate one or more employees, an affiliate, or an outside
425407 vendor designated to act on behalf of the licensee who is
426408 responsible for the information security program;
427409 2. Identify reasonably foreseeable internal or external threats
428410 that could result in unauthorized access, transmission, disclosure,
429411 misuse, alteration, or destruction of nonpublic information
430412 including, but not limited to, the security of information systems
431413 and nonpublic information that are accessible to, or held by, third-
432414 party service providers;
433415 3. Assess the likelihood and potential damage of these threats,
434416 taking into consideration the sensitivity of the nonpublic
435417 information;
418+4. Assess the sufficiency of policies, procedures, information
419+systems, and other safeguards in place to manage these threats,
420+including consideration of threats in each relevant area of the
421+operations of the licensee, including:
422+a. employee training and management,
423+b. information systems, including, but not limited to,
424+network and software design, as well as information
436425
437-SB543 HFLR Page 9
438-BOLD FACE denotes Committee Amendments. 1
426+ENGR. S. B. NO. 543 Page 9 1
439427 2
440428 3
441429 4
442430 5
443431 6
444432 7
445433 8
446434 9
447435 10
448436 11
449437 12
450438 13
451439 14
452440 15
453441 16
454442 17
455443 18
456444 19
457445 20
458446 21
459447 22
460448 23
461449 24
462450
463-4. Assess the sufficiency of policies, procedures, information
464-systems, and other safeguards in place to manage these threats,
465-including consideration of threats in each relevant area of the
466-operations of the licensee, including:
467-a. employee training and management,
468-b. information systems, including, but not limited to,
469-network and software design, as well as information
470451 classification, governance, processing, storage,
471452 transmission, and disposal, and
472453 c. detecting, preventing, and responding to attacks,
473454 intrusions, or other systems failures; and
474455 5. Implement information safeguards to manage the threats
475456 identified in its ongoing assessment, and no less than annuall y,
476457 assess the effectiveness of the key cont rols, systems, and
477458 procedures of the safeguards.
478459 D. Based on the results of the risk assessment, the licensee
479460 shall:
480461 1. Design its information security program to mitigate the
481462 identified risks, commensurate with the size and complexity of the
482463 licensee, the nature and scope of the a ctivities of the licensee
483464 including its use of third-party service providers, and the
484465 sensitivity of the nonpublic information used by the licensee or in
485466 the possession, custody, or control of the licensee;
467+2. Determine and implement security measures deemed
468+appropriate, including:
469+a. place access controls on information systems
470+including controls to authenticate and permit access
471+only to authorized individuals to protect against the
472+unauthorized acquisition of nonpublic information,
473+b. identify and manage the data, personnel, devices,
474+systems, and facilities that enable the organization
486475
487-SB543 HFLR Page 10
488-BOLD FACE denotes Committee Amendments. 1
476+ENGR. S. B. NO. 543 Page 10 1
489477 2
490478 3
491479 4
492480 5
493481 6
494482 7
495483 8
496484 9
497485 10
498486 11
499487 12
500488 13
501489 14
502490 15
503491 16
504492 17
505493 18
506494 19
507495 20
508496 21
509497 22
510498 23
511499 24
512500
513-2. Determine and implement security measures deemed
514-appropriate, including:
515-a. place access controls on information systems
516-including controls to authenticate and permit access
517-only to authorized individuals to protect against the
518-unauthorized acquisition of nonpublic information,
519-b. identify and manage the data, personnel, devices,
520-systems, and facilities that enable the organization
521501 to achieve business purposes in acco rdance with their
522502 relative importance to business objectives and the
523503 risk strategy of the organization,
524504 c. restrict physical access to nonpublic information to
525505 authorized individuals only,
526506 d. protect by encryption or other appropriate means, all
527507 nonpublic information while being transmitted over an
528508 external network and all nonpublic information stored
529509 on a laptop computer or other portable computing or
530510 storage device or media,
531511 e. adopt secure development practices for in-house
532512 developed applications utilized by the licensee,
533513 f. modify the information system in accordance with the
534514 information security program of the licensee,
515+g. utilize effective controls, which may include multi-
516+factor authentication procedures for any authorized
517+individual accessing nonpublic information,
518+h. regularly test and monitor systems and procedures to
519+detect actual and attempted attacks on, or intrusions
520+into, information systems,
521+i. include audit trails within the information security
522+program designed to detect and respond to
523+cybersecurity events and designed to reconstruct
535524
536-SB543 HFLR Page 11
537-BOLD FACE denotes Committee Amendments. 1
525+ENGR. S. B. NO. 543 Page 11 1
538526 2
539527 3
540528 4
541529 5
542530 6
543531 7
544532 8
545533 9
546534 10
547535 11
548536 12
549537 13
550538 14
551539 15
552540 16
553541 17
554542 18
555543 19
556544 20
557545 21
558546 22
559547 23
560548 24
561549
562-g. utilize effective controls, which may include multi-
563-factor authentication procedures for any authorized
564-individual accessing nonpublic information,
565-h. regularly test and monitor systems and procedures to
566-detect actual and attempted attacks on, or intrusions
567-into, information systems,
568-i. include audit trails within the information security
569-program designed to detect and respond to
570-cybersecurity events and designed to reconstruct
571550 material financial transactions sufficient to support
572551 normal operations and obligations of the licensee,
573552 j. implement measures to protect against destruction,
574553 loss, or damage of nonpublic information due to
575554 environmental hazards such as fire and water damage or
576555 other catastrophic events or technological failures,
577556 and
578557 k. develop, implement, and maintain procedures for the
579558 secure disposal of nonpublic information in any format;
580559 3. Include cybersecurity risks in the enterprise risk management
581560 process of the licensee;
582561 4. Stay informed regarding emerging threats or vulnerabilities
583562 and utilize reasonable security measures when sharing information
584563 relative to the character of the sharing and the type of information
585564 shared; and
565+5. Provide its personnel with cybersecurity awareness training
566+that is updated as necessary to reflect risks identified by the
567+licensee in the risk assessment.
568+E. If the licensee has a board of directors, the board or an
569+appropriate committee of the board , at a minimum, within one year of
570+the effective date of thi s act, shall:
571+1. Require the executive management of the licensee or its
572+delegates to develop, implement, and maintain the information
573+security program of the licensee;
586574
587-SB543 HFLR Page 12
588-BOLD FACE denotes Committee Amendments. 1
575+ENGR. S. B. NO. 543 Page 12 1
589576 2
590577 3
591578 4
592579 5
593580 6
594581 7
595582 8
596583 9
597584 10
598585 11
599586 12
600587 13
601588 14
602589 15
603590 16
604591 17
605592 18
606593 19
607594 20
608595 21
609596 22
610597 23
611598 24
612599
613-5. Provide its personnel with cybersecurity awareness training
614-that is updated as necessary to reflect risks identified by the
615-licensee in the risk assessment.
616-E. If the licensee has a board of directors, the board or an
617-appropriate committee of the board , at a minimum, within one year of
618-the effective date of thi s act, shall:
619-1. Require the executive management of the licensee or its
620-delegates to develop, implement, and maintain the information
621-security program of the licensee;
622600 2. Require the executive management of the licensee or its
623601 delegates to report to the Insurance Commissioner in writing, at
624602 least annually, the following information:
625603 a. the overall status of the information security program
626604 and the compliance of the licensee with this act, and
627605 b. material matters related to the information security
628606 program, addressing issues such as risk asses sment,
629607 risk management and control decisions, third-party
630608 service provider arrangements, results of testing,
631609 cybersecurity events or violations and responses of
632610 the management to those events or violations, and
633611 recommendations for changes in the informatio n
634612 security program; and
635613 3. If executive management delegates any of its
636614 responsibilities, it shall oversee the development, implementation ,
615+and maintenance of the information security program of the licensee
616+prepared by the delegate or delegates and shall receive a report
617+from the delegate or delegates complying with the requirements of
618+the report to the board.
619+F. A licensee shall exercise due diligence in selecting its
620+third-party service provider and shall require t he provider to
621+implement appropriate a dministrative, technical, and physical
622+measures to protect and secure the information systems and nonpublic
637623
638-SB543 HFLR Page 13
639-BOLD FACE denotes Committee Amendments. 1
624+ENGR. S. B. NO. 543 Page 13 1
640625 2
641626 3
642627 4
643628 5
644629 6
645630 7
646631 8
647632 9
648633 10
649634 11
650635 12
651636 13
652637 14
653638 15
654639 16
655640 17
656641 18
657642 19
658643 20
659644 21
660645 22
661646 23
662647 24
663648
664-and maintenance of the information security program of the licensee
665-prepared by the delegate or delega tes and shall receive a report
666-from the delegate or delegates complying with the requirements of
667-the report to the board.
668-F. A licensee shall exercise due diligence in selecting its
669-third-party service provider and shall require t he provider to
670-implement appropriate administrative, technical, and physical
671-measures to protect and secure the information systems and nonpublic
672649 information that are accessible to, or held by, the third-party
673650 service provider.
674651 G. The licensee shall monito r, evaluate, and adjust, as
675652 appropriate, the information security program consistent with any
676653 relevant changes in technology, the sensitivity of its nonpublic
677654 information, internal o r external threats to information and the
678655 changing business arrangements o f the licensee, such as mergers and
679656 acquisitions, alliances and joint ventures, outsourcing
680657 arrangements, and changes to information systems.
681658 H. As part of its information s ecurity program, each licensee
682659 shall establish a written incident response plan de signed to
683660 promptly respond to, and re cover from, any cybersecurity event that
684661 compromises the confidentiality, integrity, or availability of
685662 nonpublic information in its possession, the information systems of
686663 the licensee, or the continuing functionality of any aspect of the
687664 business or operations of the licensee.
665+The incident response plan shall addres s the following areas:
666+1. The internal process for responding to a cybersecurity
667+event;
668+2. The goals of the incident response plan;
669+3. The definition of cl ear roles, responsibilities , and levels
670+of decision-making authority;
671+4. External and internal com munications and information
672+sharing;
688673
689-SB543 HFLR Page 14
690-BOLD FACE denotes Committee Amendments. 1
674+ENGR. S. B. NO. 543 Page 14 1
691675 2
692676 3
693677 4
694678 5
695679 6
696680 7
697681 8
698682 9
699683 10
700684 11
701685 12
702686 13
703687 14
704688 15
705689 16
706690 17
707691 18
708692 19
709693 20
710694 21
711695 22
712696 23
713697 24
714698
715-The incident response plan shall addres s the following areas:
716-1. The internal process for responding to a cybersecurity
717-event;
718-2. The goals of the incident response plan;
719-3. The definition of clear roles, responsibili ties, and levels
720-of decision-making authority;
721-4. External and internal com munications and information
722-sharing;
723699 5. Identification of requirements for the remediation of any
724700 identified weaknesses in information systems and associated
725701 controls;
726702 6. Documentation and re porting regarding cybersecurity events
727703 and related incident res ponse activities; and
728704 7. The evaluation and revision as necessary of the incident
729705 response plan following a cybersecurity event.
730706 I. Annually, each insurer domiciled in this state shall submit
731-to the Commissioner a written statement by April 15, certifying that
707+to the Commissioner a written statement by March 1, certifying that
732708 the insurer complies with the requirements set forth in this section.
733709 Each insurer shall maintain, for examination by the Insurance
734710 Department, all records, schedules, and data supporting this
735711 certificate for a period of five (5) years. To the extent an
736712 insurer has identified areas, systems, or processes that require
737713 material improvement, updating, or redesign, the insurer shall
738714 document the identification and the remedial efforts planned and
715+underway to address such areas, systems, or processes. The
716+documentation shall be available for inspection by the Commissioner
717+upon request.
718+SECTION 5. NEW LAW A new section of law to be codified
719+in the Oklahoma Statutes as S ection 674 of Title 36, unless there is
720+created a duplication in numbering, reads as follows:
721+A. If the licensee learns that a cybersecurity event has or
722+may have occurred, the licensee, or an outside vendor or service
739723
740-SB543 HFLR Page 15
741-BOLD FACE denotes Committee Amendments. 1
724+ENGR. S. B. NO. 543 Page 15 1
742725 2
743726 3
744727 4
745728 5
746729 6
747730 7
748731 8
749732 9
750733 10
751734 11
752735 12
753736 13
754737 14
755738 15
756739 16
757740 17
758741 18
759742 19
760743 20
761744 21
762745 22
763746 23
764747 24
765748
766-underway to address such areas, systems, or processes. The
767-documentation shall be available for inspection by the Commissioner
768-upon request.
769-SECTION 5. NEW LAW A new section of law to be codified
770-in the Oklahoma Statutes as Section 674 of Title 36, unless there is
771-created a duplication in numbering, reads as follows:
772-A. If the licensee learns that a cybersecurity event has or
773-may have occurred, the licensee, or an outside vendor or service
774749 provider designated to act on behalf of the licensee, shall conduct
775750 a prompt investigation.
776751 B. During the investigation, the licensee, or an outside vendor
777752 or service provider des ignated to act on behalf of the licensee,
778753 shall, at a minimum:
779754 1. Determine whether a cybersecurity event has o ccurred;
780755 2. Assess the nature and scope of the cybersecurity eve nt;
781756 3. Identify any nonpublic information that may have been
782757 involved in the cybersecurity event; and
783758 4. Perform or oversee r easonable measures to restore the
784759 security of the information sy stems compromised in the cybersecurity
785760 event in order to prevent further unauthorized acquisition, release,
786761 or use of nonpublic information in th e possession, custody, or
787762 control of the licensee .
788763 C. If the licensee learns that a cybersecurity event has or may
789764 have occurred in a syst em maintained by a third-party service
765+provider, the licensee shall complete the steps listed in subsection
766+B of this section or confirm and document that the third -party
767+service provider has completed those steps.
768+D. The licensee shall maintain records concerning all
769+cybersecurity events for a period of at least five (5) years from
770+the date of the cybersecurity event and shall produce those records
771+upon request by the Insurance Commissioner.
790772
791-SB543 HFLR Page 16
792-BOLD FACE denotes Committee Amendments. 1
773+ENGR. S. B. NO. 543 Page 16 1
793774 2
794775 3
795776 4
796777 5
797778 6
798779 7
799780 8
800781 9
801782 10
802783 11
803784 12
804785 13
805786 14
806787 15
807788 16
808789 17
809790 18
810791 19
811792 20
812793 21
813794 22
814795 23
815796 24
816797
817-provider, the licensee shall complete the steps listed in subsection
818-B of this section or confirm and document that the third -party
819-service provider has completed those steps.
820-D. The licensee shall maintain records concerning all
821-cybersecurity events for a period of at least five (5) years from
822-the date of the cybersecurity event and shall produce those records
823-upon request by the Insurance Commissioner.
824798 SECTION 6. NEW LAW A new section of law to be codified
825799 in the Oklahoma Statutes as Section 675 of Title 36, unless there is
826800 created a duplication in numb ering, reads as follows:
827801 A. Every licensee shall notify the Insurance Commissioner
828802 without unreasonable delay, but not later than three busine ss days,
829803 from a determination that a cybersecurity event involving nonpublic
830804 information that is in the possession of a licensee has occurred
831805 when either of the following criteria has been met:
832806 1. This state is the state of dom icile of the licensee, in the
833807 case of an insurer, or this state i s the home state of the licensee,
834808 in the case of a producer, as those terms are defined in the
835809 Oklahoma Producer Licensing Act, Sections 1435.1 thro ugh 1435.41 of
836810 Title 36 of the Oklahoma Sta tutes, and the cybersecurity event has a
837811 reasonable likelihood of materially harming any material part of the
838812 normal operations of the licensee or any consumer residing in this
839813 state; or
814+2. The licensee reasonably believes that the nonpublic
815+information involved is of two hundred fi fty (250) or more consumers
816+residing in this state and is either of the following:
817+a. a cybersecurity event impacting the licensee of which
818+notice is required to be provided to any government
819+body, self-regulatory agency, or any other supervisory
820+body pursuant to any state or federal law, or
840821
841-SB543 HFLR Page 17
842-BOLD FACE denotes Committee Amendments. 1
822+ENGR. S. B. NO. 543 Page 17 1
843823 2
844824 3
845825 4
846826 5
847827 6
848828 7
849829 8
850830 9
851831 10
852832 11
853833 12
854834 13
855835 14
856836 15
857837 16
858838 17
859839 18
860840 19
861841 20
862842 21
863843 22
864844 23
865845 24
866846
867-2. The licensee reasonably bel ieves that the nonpublic
868-information involved is of two hundred fi fty (250) or more consumers
869-residing in this state and is either of the following:
870-a. a cybersecurity event impacting the licensee of which
871-notice is required to be provided to any governmen t
872-body, self-regulatory agency, or any other supervisory
873-body pursuant to any state or federal law, or
874847 b. a cybersecurity event that has a reasonable likelihood
875848 of materially harming:
876849 (1) any consumer residing in this state , or
877850 (2) any material part of the normal operation or
878851 operations of the licensee.
879852 B. The licensee making the notification required in su bsection
880853 A of this section shall provide as much of the following information
881854 as possible, electronically in the manner and form prescribed by the
882855 Commissioner, along with any applicable fee s. The licensee shall
883856 have a continuing obligation to update and s upplement initial and
884857 subsequent notifications to the Commissioner regarding material
885858 changes to previously provided information relating to the
886859 cybersecurity event. The licensee shall provide:
887860 1. Date of the cybersecurity event;
888861 2. Description of how t he information was exposed, lost,
889862 stolen, or breached including, but not limited to, the specific
890863 roles and responsibilities of third-party service providers, if any;
864+3. How the cybersecurity event was discovered;
865+4. Whether any lost, stolen, or breached information has been
866+recovered and, if so, how this was done;
867+5. The identity of the source of the cybersecurity event;
868+6. Whether the licensee has filed a police report or has
869+notified any regulatory, government , or law enforcement agencies
870+and, if so, when such notification was provided;
891871
892-SB543 HFLR Page 18
893-BOLD FACE denotes Committee Amendments. 1
872+ENGR. S. B. NO. 543 Page 18 1
894873 2
895874 3
896875 4
897876 5
898877 6
899878 7
900879 8
901880 9
902881 10
903882 11
904883 12
905884 13
906885 14
907886 15
908887 16
909888 17
910889 18
911890 19
912891 20
913892 21
914893 22
915894 23
916895 24
917896
918-3. How the cybersecurity event was discovered;
919-4. Whether any lost, stolen, or breached information has been
920-recovered and, if so, how this was done;
921-5. The identity of the source of the cybersecurity event;
922-6. Whether the licensee has filed a police report or has
923-notified any regulatory, government , or law enforcement agencies
924-and, if so, when such notification was provided;
925897 7. Description of the specific ty pes of information acquired
926898 without authorization. The term “specific types of information”
927899 means particular data elements including, but not li mited to, types
928900 of medical information, financial information, or information
929901 allowing identification of the con sumer;
930902 8. The period during which the information system was
931903 compromised by the cybersecurity event;
932904 9. The number of total consumers in this state affected by the
933905 cybersecurity event. The licensee shall provide the best estimate
934906 in the initial report t o the Commissioner and update this estimate
935907 with each subsequent report to the Commissioner pursuant to this
936908 section;
937909 10. The results of any in ternal review identifying a lapse in
938910 either automated controls or internal procedures, or confirming that
939911 all automated controls or internal procedures were followed;
940912 11. Description of efforts being undertaken to remediate the
941913 situation which permitted t he cybersecurity event to occur;
914+12. A copy of the privacy policy of the licensee and a
915+statement outlining the steps the licensee will take to investigate
916+and notify consumers affected by the cybersecurity event; and
917+13. Name of a contact person who is both familiar with the
918+cybersecurity event and authorized to act for the licensee.
919+C. A licensee shall comply w ith the procedures of the Security
920+Breach Notification Act, Section 161 et seq. of Title 24 of the
942921
943-SB543 HFLR Page 19
944-BOLD FACE denotes Committee Amendments. 1
922+ENGR. S. B. NO. 543 Page 19 1
945923 2
946924 3
947925 4
948926 5
949927 6
950928 7
951929 8
952930 9
953931 10
954932 11
955933 12
956934 13
957935 14
958936 15
959937 16
960938 17
961939 18
962940 19
963941 20
964942 21
965943 22
966944 23
967945 24
968946
969-12. A copy of the privacy policy of the licensee and a
970-statement outlining the steps the licensee will take to investigate
971-and notify consumers affected by the cybersecurity event; and
972-13. Name of a contact person who is both familiar with the
973-cybersecurity event and authorized to act for the licensee.
974-C. A licensee shall comply w ith the procedures of the Security
975-Breach Notification Act, Section 161 et seq . of Title 24 of the
976947 Oklahoma Statutes, to notify affected consume rs and provide a copy
977948 of the notice sent to consumers under that statute to the
978949 Commissioner, when a licensee is required to notify the Commissioner
979950 under subsection A of this section.
980951 D. 1. In the case of a cybersecurity even t in a system
981952 maintained by a third-party service provider, of which the licensee
982953 has become aware, the licensee shall treat the event as it would
983954 under subsection A of this section unless the third -party service
984955 provider provides the notice required under subsection A of this
985956 section to the Commissioner and the licensee.
986957 2. The computation of deadlines of the licensee shall begin on
987958 the day after the third-party service provider notifies the licensee
988959 of the cybersecurity event or the licensee otherwise ha s actual
989960 knowledge of the cybersecurity event, whichever is sooner.
990961 3. Nothing in this act shall prevent or abrogate an agreement
991962 between a licensee and another licensee, a third -party service
963+provider, or any other party to fulfill any of the investigation
964+requirements impose or notice requirements imposed under this act.
965+E. 1. In the case of a cybersecurity event involving nonpublic
966+information that is used by the licensee that is acting as an
967+assuming insurer, or in the possession, custody , or control of a
968+licensee, that is acti ng as an assuming insurer and that does not
969+have a direct contractual relationship with the affected consumers,
970+the assuming insurer shall notify its affected ceding insurers and
992971
993-SB543 HFLR Page 20
994-BOLD FACE denotes Committee Amendments. 1
972+ENGR. S. B. NO. 543 Page 20 1
995973 2
996974 3
997975 4
998976 5
999977 6
1000978 7
1001979 8
1002980 9
1003981 10
1004982 11
1005983 12
1006984 13
1007985 14
1008986 15
1009987 16
1010988 17
1011989 18
1012990 19
1013991 20
1014992 21
1015993 22
1016994 23
1017995 24
1018996
1019-provider, or any other party to fulfill any of t he investigation
1020-requirements impose or notice requirements imposed under this act.
1021-E. 1. In the case of a cybersecurity event involving nonpublic
1022-information that is used by the licensee that is acting as an
1023-assuming insurer, or in the possession, custo dy, or control of a
1024-licensee, that is acti ng as an assuming insurer and that does not
1025-have a direct contractual relationship with the affected consumers,
1026-the assuming insurer shall notify its affected ceding insurers and
1027997 the Commissioner of its state of domicile within three (3) business
1028998 days of making the determination that a cybersecurity event has
1029999 occurred. The ceding insurers that have a direct contractual
10301000 relationship with affected consumers shall fulfill the consumer
10311001 notification requirements imposed under the Sec urity Breach
10321002 Notification Act, Section 161 et seq. of Title 24 of the Oklahoma
10331003 Statutes, and any other notification requirements relating to a
10341004 cybersecurity event imposed under this section.
10351005 2. In the case of a cybersecurity event involving nonpublic
10361006 information that is in the posse ssion, custody, or control of a
10371007 third-party service provider of a licensee that is an assuming
10381008 insurer, the assuming i nsurer shall notify its affected ceding
10391009 insurers and the Commissioner of its state of domicile within three
10401010 (3) business days of receiving notice from its third-party service
10411011 provider that a cybersecurity event has occurred. The ceding
10421012 insurers that have a direct contractual relationship with affected
1013+consumers shall fulfill the consumer notification requirements
1014+imposed under Security Brea ch Notification Act, Section 161 et seq.
1015+of Title 24 of the Oklahoma Statutes, and any other notification
1016+requirements relating to a cybersecurity event imposed under this
1017+section.
1018+F. In the case of a cybersecurity event involv ing nonpublic
1019+information that is in the possession, custody, or control of a
1020+licensee that is an insurer or its third-party service provider for
10431021
1044-SB543 HFLR Page 21
1045-BOLD FACE denotes Committee Amendments. 1
1022+ENGR. S. B. NO. 543 Page 21 1
10461023 2
10471024 3
10481025 4
10491026 5
10501027 6
10511028 7
10521029 8
10531030 9
10541031 10
10551032 11
10561033 12
10571034 13
10581035 14
10591036 15
10601037 16
10611038 17
10621039 18
10631040 19
10641041 20
10651042 21
10661043 22
10671044 23
10681045 24
10691046
1070-consumers shall fulfill the consumer notificatio n requirements
1071-imposed under Security Brea ch Notification Act, Section 161 et seq.
1072-of Title 24 of the Oklahoma Statutes, and any other notification
1073-requirements relating to a cybersecurity event imposed under this
1074-section.
1075-F. In the case of a cybersecurit y event involving nonpublic
1076-information that is in the possession, custody, or control of a
1077-licensee that is an insurer or its third-party service provider for
10781047 which a consumer accessed the services of the insurer through an
10791048 independent insurance producer, and for which consumer notice is
10801049 required by this act or the Security Breach Notification Act,
10811050 Section 161 et seq. of Title 24 of the Oklahoma Statutes, the
10821051 insurer shall notify the producers of record of all affected
10831052 consumers of the cybersecurity event no later than the time at which
10841053 notice is provided to the affected consumers. The insurer is
10851054 excused from this obligation for any producers who are not
10861055 authorized by law or contract to sell, solicit , or negotiate on
10871056 behalf of the insurer, and in those instances in whic h the insurer
10881057 does not have the current producer of record information for an
10891058 individual consumer. Any licensee acting as an assuming insurer
10901059 shall have no other notice obligations relating to a cybersecurity
10911060 event or other data breach under this section or any other law of
10921061 this state.
1062+SECTION 7. NEW LAW A new section of law to be codified
1063+in the Oklahoma Statutes as Section 676 of Title 36, unless there is
1064+created a duplication in numb ering, reads as follows:
1065+A. The Insurance Commissioner shall have power to examine and
1066+investigate the affairs of any licensee to determine whether the
1067+licensee has been or is engaged in any conduct in violation of the
1068+provisions of this act or any rules promulgated thereto . This power
1069+is in addition to the powers which the Commissioner has under
1070+applicable provisions of the Insurance Code including, but not
10931071
1094-SB543 HFLR Page 22
1095-BOLD FACE denotes Committee Amendments. 1
1072+ENGR. S. B. NO. 543 Page 22 1
10961073 2
10971074 3
10981075 4
10991076 5
11001077 6
11011078 7
11021079 8
11031080 9
11041081 10
11051082 11
11061083 12
11071084 13
11081085 14
11091086 15
11101087 16
11111088 17
11121089 18
11131090 19
11141091 20
11151092 21
11161093 22
11171094 23
11181095 24
11191096
1120-SECTION 7. NEW LAW A new section of law to be codified
1121-in the Oklahoma Statutes as Section 676 of Title 36, unless there is
1122-created a duplication in numb ering, reads as follows:
1123-A. The Insurance Commissioner shall have power to examine and
1124-investigate the affairs of any licensee to determine whether the
1125-licensee has been or is engaged in any conduct in violation of the
1126-provisions of this act or any rules promulgat ed thereto. This power
1127-is in addition to the powers which the Commissioner has under
1128-applicable provisions of the Insurance Code including, but not
11291097 limited to, Sections 309.1 through 309.6, 332, and 1250.4 of Title
11301098 36 of the Oklahoma Statutes .
11311099 B. Whenever the Commissioner has reason to belie ve that a
11321100 licensee has been or is engaged in conduct in this state that
11331101 violates any provision of this act, the Commissioner may take action
11341102 that is necessary or appropriate to enforce the provisi ons.
11351103 SECTION 8. NEW LAW A new sectio n of law to be codifi ed
11361104 in the Oklahoma Statutes as Section 677 of Title 36, unless there is
11371105 created a duplication in numbering, reads as follows:
11381106 A. Any documents, materials , or other information in the
11391107 control or possession of the Insurance Department that are furnished
11401108 by a licensee or an employee or agent thereof acting on behalf of a
11411109 licensee pursuant to the provisions of Section 4 and Section 6 of
11421110 this act or that are obtained by the Insuran ce Commissioner in an
11431111 investigation or examinati on pursuant to Section 7 of this act shall
1112+be confidential by law and privileged, shall not be subject to the
1113+Oklahoma Open Records Act, shall not be subject to subpoena, and
1114+shall not be subject to discover y or admissible in evidence in any
1115+private civil action. However, the Commissioner is au thorized to
1116+use the documents, materials, or other information in the
1117+furtherance of any regulatory or legal action brought as a part of
1118+the Commissioner’s duties. The Commissioner shall no t otherwise
1119+make the documents, materials, or other information pu blic without
1120+the prior written consent of the licensee.
11441121
1145-SB543 HFLR Page 23
1146-BOLD FACE denotes Committee Amendments. 1
1122+ENGR. S. B. NO. 543 Page 23 1
11471123 2
11481124 3
11491125 4
11501126 5
11511127 6
11521128 7
11531129 8
11541130 9
11551131 10
11561132 11
11571133 12
11581134 13
11591135 14
11601136 15
11611137 16
11621138 17
11631139 18
11641140 19
11651141 20
11661142 21
11671143 22
11681144 23
11691145 24
11701146
1171-be confidential by law and privileged, shall not be subject to the
1172-Oklahoma Open Records Act, shall not be subject to subpoena, and
1173-shall not be subject to discover y or admissible in evid ence in any
1174-private civil action. However, the Commissioner is au thorized to
1175-use the documents, materials, or other information in the
1176-furtherance of any regulatory or legal action brought as a part of
1177-the Commissioner’s duties. The Commissioner shall no t otherwise
1178-make the documents, materials, or other information pu blic without
1179-the prior written consent of the licensee.
11801147 B. Neither the Commissioner nor any person who received
11811148 documents, materials , or other information while acting under the
11821149 authority of the Commissioner shall b e permitted or required to
11831150 testify in any private civil action concerning any confidential
11841151 documents, materials, or information subject to subsection A of this
11851152 section.
11861153 C. In order to assist in the perf ormance of the duties of the
11871154 Commissioner under this act, the Commissioner:
11881155 1. May share documents, materials, or other information
11891156 including the confidential and privileged documents, materials, or
11901157 information subject to subsection A of this section, with other
11911158 state, federal, and international regulatory age ncies, with the
11921159 National Association of Insurance Commissioners and its affiliates
11931160 or subsidiaries and with state, federal, and international law
11941161 enforcement authorities; provided, that the recipient agrees in
1162+writing to maintain the confidentiality and pri vileged status of the
1163+document, material, or other information;
1164+2. May receive documents, materials, or information including
1165+otherwise confidential and privileged documents, materials , or
1166+information, from the National Association of Insurance
1167+Commissioners, its affiliates or subsidiaries , and from regulatory
1168+and law enforcement officials of other foreign or domestic
1169+jurisdictions, and shall maintain as confidential or privileged any
1170+document, material, or information received with notice or the
11951171
1196-SB543 HFLR Page 24
1197-BOLD FACE denotes Committee Amendments. 1
1172+ENGR. S. B. NO. 543 Page 24 1
11981173 2
11991174 3
12001175 4
12011176 5
12021177 6
12031178 7
12041179 8
12051180 9
12061181 10
12071182 11
12081183 12
12091184 13
12101185 14
12111186 15
12121187 16
12131188 17
12141189 18
12151190 19
12161191 20
12171192 21
12181193 22
12191194 23
12201195 24
12211196
1222-writing to maintain the confidentiality a nd privileged status of the
1223-document, material, or other information;
1224-2. May receive documents, materials, or information including
1225-otherwise confidential and privileged documents, materials , or
1226-information, from the National Association of Insurance
1227-Commissioners, its affiliates or subsidiaries , and from regulatory
1228-and law enforcement officials of other foreign or domestic
1229-jurisdictions, and shall maintain as confidential or privileged any
1230-document, material, or information received with notice or the
12311197 understanding that it is confidential or priv ileged under the laws
12321198 of the jurisdiction that is the source of the document, material, or
12331199 information;
12341200 3. May share documents, materials, or other information subject
12351201 to subsection A of this section, with a third-party consultant or
12361202 vendor; provided, the consultant agrees in writing to maintain the
12371203 confidentiality and privileged status of the document, material, or
12381204 other information; and
12391205 4. May enter into agreements governing sharing and use of
12401206 information consistent with this subsection.
12411207 D. No waiver of any applicable privilege or claim of
12421208 confidentiality in the documents, materials, or information shall
12431209 occur as a result of disclosure to the Insurance Commissioner under
12441210 this section or as a result of sharing as authorized in subsection C
12451211 of this section.
1212+E. Nothing in this act shall prohibit the Commissioner from
1213+releasing final, adjudicated actions that are open to public
1214+inspection pursuant to the Oklahoma Open Records Act, to a database
1215+or other clearinghouse service maintained by the National
1216+Association of Insurance Commissioners, its affiliates, or
1217+subsidiaries.
1218+F. Documents, materials, or other information in the possession
1219+or control of the National Association of Insur ance Commissioners or
1220+a third-party consultant or vendor pursuant to this ac t shall not be
12461221
1247-SB543 HFLR Page 25
1248-BOLD FACE denotes Committee Amendments. 1
1222+ENGR. S. B. NO. 543 Page 25 1
12491223 2
12501224 3
12511225 4
12521226 5
12531227 6
12541228 7
12551229 8
12561230 9
12571231 10
12581232 11
12591233 12
12601234 13
12611235 14
12621236 15
12631237 16
12641238 17
12651239 18
12661240 19
12671241 20
12681242 21
12691243 22
12701244 23
12711245 24
12721246
1273-E. Nothing in this act shall prohibit the Commissioner from
1274-releasing final, adjudicated actions that are open to public
1275-inspection pursuant to the Oklahoma Open Records Act, to a database
1276-or other clearinghouse service maintained by the National
1277-Association of Insurance Commissioners, its affiliates, or
1278-subsidiaries.
1279-F. Documents, materials, or other information in the possession
1280-or control of the National Association of Insur ance Commissioners or
1281-a third-party consultant or vendor pursuant to this ac t shall not be
12821247 construed to be public information, shall not be subject to the
12831248 Oklahoma Open Records Act, shall not be subject to subpoena, and
12841249 shall not be subject to discovery or adm issible as evidence in any
12851250 private civil action.
12861251 SECTION 9. NEW LAW A new section of law to be codified
12871252 in the Oklahoma Statutes as Section 678 of Title 36, unless there is
12881253 created a duplication in numbering, reads as follows:
12891254 A. The Insurance Commissioner may promulgate any rules
12901255 necessary to carry ou t the provisions of this section.
12911256 B. 1. The following exceptions shall apply to this act:
12921257 a. a licensee with less than Five Million Dollars
12931258 ($5,000,000.00) in gross annual revenue, is exempt
12941259 from this act,
12951260 b. a licensee subject to the Health Insurance Po rtability
12961261 and Accountability Act, Pub . L. 104–191, 110 Stat.
1262+1936, as amended, that has established and maintains
1263+an information security program pursuant to such
1264+statutes, rules, regulations, procedures , or
1265+guidelines established thereunder, will be considered
1266+to meet the requirements of Section 4 of this act,
1267+provided that the licensee is compliant with and
1268+submits a written statement to the Commission er
1269+certifying its compliance with the same, and
12971270
1298-SB543 HFLR Page 26
1299-BOLD FACE denotes Committee Amendments. 1
1271+ENGR. S. B. NO. 543 Page 26 1
13001272 2
13011273 3
13021274 4
13031275 5
13041276 6
13051277 7
13061278 8
13071279 9
13081280 10
13091281 11
13101282 12
13111283 13
13121284 14
13131285 15
13141286 16
13151287 17
13161288 18
13171289 19
13181290 20
13191291 21
13201292 22
13211293 23
13221294 24
13231295
1324-1936, as amended, that has established and maintains
1325-an information security program pursuant to such
1326-statutes, rules, regulation s, procedures, or
1327-guidelines established thereunder, will be considered
1328-to meet the requirements of Section 4 of this act,
1329-provided that the licensee is compliant with and
1330-submits a written statement to the Commission er
1331-certifying its compliance with the same, and
13321296 c. an employee, agent, repre sentative, or designee of a
13331297 licensee, who is also a licensee, is exempt from this
13341298 act and shall not be required to develop their own
13351299 information security program to the extent that the
13361300 employee, agent, representative , or designee is
13371301 covered by the information security program of the
13381302 licensee.
13391303 2. If a licensee ceases to qualify for an exception, the
13401304 licensee shall have one hundred eighty (180) days to comply with the
13411305 provisions of this act.
13421306 C. In the case of a violation of this act, a licensee may be
13431307 penalized in accordance with any a pplicable sections of the
13441308 Insurance Code, including, but not limited to, Section 908 of Title
13451309 36 of the Oklahoma Statutes, or any other provisi on providing for
13461310 penalties that the licensee is subject to under the license or
13471311 permit of the licensee. Nothing in this act shall be construed to
1312+impose any civil liability for any violation of this act or omission
1313+to act by the licensee or employees of the license e.
1314+D. The provisions of this act shall take precedence over any
1315+other state laws applicable to license es for data security and the
1316+investigation of a cybersecurity event.
1317+SECTION 10. NEW LAW A new section of law to be codified
1318+in the Oklahoma Statutes as Section 679 of Title 36, unless there is
1319+created a duplication in numbering, reads as follows:
13481320
1349-SB543 HFLR Page 27
1350-BOLD FACE denotes Committee Amendments. 1
1321+ENGR. S. B. NO. 543 Page 27 1
13511322 2
13521323 3
13531324 4
13541325 5
13551326 6
13561327 7
13571328 8
13581329 9
13591330 10
13601331 11
13611332 12
13621333 13
13631334 14
13641335 15
13651336 16
13661337 17
13671338 18
13681339 19
13691340 20
13701341 21
13711342 22
13721343 23
13731344 24
13741345
1375-impose any civil liability for any violation of this act or omission
1376-to act by the licensee or employees of the license e.
1377-D. The provisions of this act sha ll take precedence over any
1378-other state laws applicable to license es for data security and the
1379-investigation of a cybersecurity event.
1380-SECTION 10. NEW LAW A new section of law to be codified
1381-in the Oklahoma Statutes as Section 679 of Title 36, unless there is
1382-created a duplication in numbering, reads as follows:
13831346 Licensees shall have one (1) year from the effective date of
13841347 this act to implement Section 4 of this act and two (2) years from
13851348 the effective date of this act to implement subsection F of Section
13861349 4 of this act.
1387-SECTION 11. This act shall become effective November 1, 20 23.
1350+SECTION 11. AMENDATORY 51 O.S. 2021, Section 24A.3, as
1351+last amended by Section 1, Chapter 402, O.S.L. 2022 (51 O.S. Supp.
1352+2022, Section 24A.3), is amended to read as follows:
1353+Section 24A.3. As used in the Oklahoma Open Records Act:
1354+1. “Record” means all documents including, but not limited to,
1355+any book, paper, photograph, microfilm, data files created by or
1356+used with computer software, computer tape, disk, record, sound
1357+recording, film recording, video record or other material regardless
1358+of physical form or characteristic, created by, received by, under
1359+the authority of, or coming into the custody, control or possession
1360+of public officials, public bodies or their representatives in
1361+connection with the transaction of public bus iness, the expenditure
1362+of public funds or the administering of public property. “Record”
1363+Record does not mean:
1364+a. computer software,
1365+b. nongovernment personal effects,
1366+c. unless public disclosure is required by other laws or
1367+regulations, vehicle movement records of the Oklahoma
1368+Transportation Authority obtained in connection with
1369+the Authority’s electronic toll collection system,
13881370
1389-COMMITTEE REPORT BY: COMMITTEE ON INSURANCE, dated 04/05/2023 - DO
1390-PASS, As Amended.
1371+ENGR. S. B. NO. 543 Page 28 1
1372+2
1373+3
1374+4
1375+5
1376+6
1377+7
1378+8
1379+9
1380+10
1381+11
1382+12
1383+13
1384+14
1385+15
1386+16
1387+17
1388+18
1389+19
1390+20
1391+21
1392+22
1393+23
1394+24
1395+
1396+d. personal financial information, credit reports or
1397+other financial data obtained by or submitted to a
1398+public body for the purpose of evaluating credit
1399+worthiness, obtaining a license, permit or for the
1400+purpose of becoming qualified to contract with a
1401+public body,
1402+e. any digital audio/video recordings of the toll
1403+collection and safeguarding activities of the Oklahoma
1404+Transportation Authority,
1405+f. any personal information provided by a guest at any
1406+facility owned or operated by the Oklahoma Tourism and
1407+Recreation Department to obtain any service at t he
1408+facility or by a purchaser of a product sold by or
1409+through the Oklahoma Tourism and Recre ation
1410+Department,
1411+g. a Department of Defense Form 214 (DD Form 214) filed
1412+with a county clerk including any DD Form 214 filed
1413+before July 1, 2002,
1414+h. except as provided for in Section 2 -110 of Title 47 of
1415+the Oklahoma Statutes,:
1416+(1) any record in connectio n with a Motor Vehicle
1417+Report issued by the Department of Public Safety,
1418+as prescribed in Section 6-117 of Title 47 of the
1419+Oklahoma Statutes, or
1420+
1421+ENGR. S. B. NO. 543 Page 29 1
1422+2
1423+3
1424+4
1425+5
1426+6
1427+7
1428+8
1429+9
1430+10
1431+11
1432+12
1433+13
1434+14
1435+15
1436+16
1437+17
1438+18
1439+19
1440+20
1441+21
1442+22
1443+23
1444+24
1445+
1446+(2) personal information within driver records, as
1447+defined by the Driver ’s Privacy Protection Act,
1448+18 United States Code, Sections 2721 thr ough
1449+2725, which are stored and maintained by the
1450+Department of Public Safety, or
1451+i. any portion of any document or information provided to
1452+an agency or entity of the state or a political
1453+subdivision to obtain licensure under th e laws of this
1454+state or a political subdivision that contains an
1455+applicant’s personal address, personal phone number,
1456+personal electronic mail address or other contact
1457+information. Provided, how ever, lists of persons
1458+licensed, the existence of a license o f a person, or a
1459+business or commercial address, or other business or
1460+commercial information disclosable under state law
1461+submitted with an application for licensure shall be
1462+public record, or
1463+j. information relating to a cybersecurity event reported
1464+to the Insurance Commissioner purs uant to the
1465+Insurance Data Security Act;
1466+2. “Public body” shall include, but not be limited to, any
1467+office, department, board, bureau, commission, agency, trusteesh ip,
1468+authority, council, committee, trust or any entity cr eated by a
1469+trust, county, city, village, town, township, district, school
1470+
1471+ENGR. S. B. NO. 543 Page 30 1
1472+2
1473+3
1474+4
1475+5
1476+6
1477+7
1478+8
1479+9
1480+10
1481+11
1482+12
1483+13
1484+14
1485+15
1486+16
1487+17
1488+18
1489+19
1490+20
1491+21
1492+22
1493+23
1494+24
1495+
1496+district, fair board, court, executive office, advisory group, task
1497+force, study group or any subdivision thereof, supported in whole or
1498+in part by public funds or entrusted with th e expenditure of public
1499+funds or administering or operating public property, and all
1500+committees, or subcommittees thereof. Except for the records
1501+required by Section 24A.4 of this title, “public body” public body
1502+does not mean judges, justices, the Council on Ju dicial Complaints,
1503+the Legislature or legislators. “Public body” Public body shall not
1504+include an organization that is exempt from federal income tax under
1505+Section 501(c)(3) of the Internal Revenue Code of 1986, as amended,
1506+and whose sole beneficiary is a college or university, or an
1507+affiliated entity of the college or university, that is a member of
1508+The Oklahoma State System of Higher Education. Such organization
1509+shall not receive direct appropria tions from the Oklahoma
1510+Legislature. The following persons shall not be eligible to serve
1511+as a voting member of the governing bo ard of the organization:
1512+a. a member, officer, or employee of the Oklahoma State
1513+Regents for Higher Education,
1514+b. a member of the board of regents or other governing
1515+board of the college or university that is the sole
1516+beneficiary of the organization, or
1517+c. an officer or employee of the college or university
1518+that is the sole beneficiary of the organization;
1519+
1520+ENGR. S. B. NO. 543 Page 31 1
1521+2
1522+3
1523+4
1524+5
1525+6
1526+7
1527+8
1528+9
1529+10
1530+11
1531+12
1532+13
1533+14
1534+15
1535+16
1536+17
1537+18
1538+19
1539+20
1540+21
1541+22
1542+23
1543+24
1544+
1545+3. “Public office” means the physical lo cation where public
1546+bodies conduct busine ss or keep records;
1547+4. “Public official” means any official or employee of any
1548+public body as defined herein; and
1549+5. “Law enforcement agency” means any public body charged with
1550+enforcing state or local criminal laws and initiating criminal
1551+prosecutions including, but not limited to, police departments,
1552+county sheriffs, the Departm ent of Public Safety, the Oklahoma State
1553+Bureau of Narcotics and Dangerous Drugs Control, the Alcoholic
1554+Beverage Laws Enforcement Commi ssion, and the Oklahoma State Bureau
1555+of Investigation.
1556+SECTION 12. This act shall become effective November 1, 20 23.
1557+Passed the Senate the 20th day of March, 2023.
1558+
1559+
1560+
1561+ Presiding Officer of the Senate
1562+
1563+
1564+Passed the House of Representatives the ____ day of __________,
1565+2023.
1566+
1567+
1568+
1569+ Presiding Officer of the House
1570+ of Representatives
1571+