Oklahoma 2024 Regular Session

Oklahoma Senate Bill SB543 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1	1
2	2
3		-
4		-	An Act
5		-	ENROLLED SENATE
6		-	BILL NO. 543 By: Pemberton of the Senate
	3	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 1 1
	4	+	2
	5	+	3
	6	+	4
	7	+	5
	8	+	6
	9	+	7
	10	+	8
	11	+	9
	12	+	10
	13	+	11
	14	+	12
	15	+	13
	16	+	14
	17	+	15
	18	+	16
	19	+	17
	20	+	18
	21	+	19
	22	+	20
	23	+	21
	24	+	22
	25	+	23
	26	+	24
	27	+
	28	+	ENGROSSED HOUSE AMENDME NT
	29	+	TO
	30	+	ENGROSSED SENATE BILL NO . 543 By: Montgomery of the Senate
7	31
8	32		and
9	33
10	34		Sneed of the House
	35	+
11	36
12	37
13	38
14	39
15	40		An Act relating to insurance data security; creating
16	41		the Insurance Data Security A ct; providing short
17	42		title; establishing act juris diction; construing
18	43		provision; defining terms; requiring licensee s to
19	44		develop data security program with certain
20	45		inclusions; establishing intent of security programs
21	46		created pursuant to act; directing licensee to
22	47		conduct risk assessment; directing licensee to take
23	48		certain action following risk assessment result;
24	49		requiring certain supervising boards to take certain
25	50		actions to implement program; requiring licensee to
26	51		contract with third-party service provider subject to
27	52		certain conditions; requiring licensee to maintain
28	53		updates and revisions to program; requiring licensee
29	54		develop incident response plan; requiring certain
30	55		reports be submitted to the Insurance Commissioner;
31	56		requiring insurer to maintain certain records for
32	57		specific time period; requiring investi gation after
33	58		certain cybersecurity event; establishing
34	59		investigation process; requiring notification of
35	60		certain event to the Commissioner; requiring
36	61		compliance with certain state laws; providing for
37	62		certain exemption; providing for the Commissioner to
38	63		investigate certain license es for certain violations;
39	64		providing for confidentiality of certain information
40	65		relating to cybersecurity event; allowing
41	66		Commissioner to share certain data with national
42	67		association; construing provision; providing for rule
43	68		promulgation; providing certain exceptions to act;
	69	+	establishing penalties ; amending 51 O.S. 2021,
	70	+	Section 24A.3, as last amended by Section 1, Chapter
	71	+	402, O.S.L. 2022 (51 O.S. Supp. 2022, Section 24A.3),
	72	+	which relates to the Oklahoma Open Records Act;
	73	+	modifying definition; updating statutory language;
	74	+
	75	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 2 1
	76	+	2
	77	+	3
	78	+	4
	79	+	5
	80	+	6
	81	+	7
	82	+	8
	83	+	9
	84	+	10
	85	+	11
	86	+	12
	87	+	13
	88	+	14
	89	+	15
	90	+	16
	91	+	17
	92	+	18
	93	+	19
	94	+	20
	95	+	21
	96	+	22
	97	+	23
	98	+	24
	99	+
	100	+	providing for codificatio n; and providing an
	101	+	effective date.
	102	+
	103	+
	104	+
	105	+
	106	+
	107	+
	108	+	AMENDMENT NO. 1. Strike the title, enacting clause, and entire bill
	109	+	and insert:
	110	+
	111	+
	112	+	"An Act relating to insurance data security; creating
	113	+	the Insurance Data Security Act; providing short
	114	+	title; establishing act jurisdi ction; construing
	115	+	provision; defining terms; requiring licensees to
	116	+	develop data security program with certain
	117	+	inclusions; establishi ng intent of security pr ograms
	118	+	created pursuant to act; directing licensee to
	119	+	conduct risk assessment; directing licensee t o take
	120	+	certain action following risk assessment result;
	121	+	requiring certain su pervising boards to take certain
	122	+	actions to implement pro gram; requiring licensee to
	123	+	contract with third-party service provider subject to
	124	+	certain conditions; requiring licensee to maintain
	125	+	updates and revisions to program; requiring licensee
	126	+	develop incident response plan; requiring certain
	127	+	reports be submitted to the Insurance Commis sioner;
	128	+	requiring insurer to maintain certain records for
	129	+	specific time period; requiring investiga tion after
	130	+	certain cybersecurity event; establishing
	131	+	investigation process; requiring notification of
	132	+	certain event to the Commission er; requiring
	133	+	compliance with certain state laws; providing for
	134	+	certain exemption; providing for the Commissioner to
	135	+	investigate certain license es for certain violations;
	136	+	providing for confidentialit y of certain information
	137	+	relating to cybersecurity event; allowing
	138	+	Commissioner to share certain data with national
	139	+	association; construing provision; providing for rule
	140	+	promulgation; providing certain exceptions to act;
44	141		establishing penalties; providing for codification;
45		-	providing an effective date ; and declaring an
	142	+	providing an effective date, and declaring an
46	143		emergency.
47	144
48		-	ENR. S. B. NO. 543 Page 2
49		-
50		-
51		-
52		-
53		-	SUBJECT: Insurance Data Security Act
	145	+
	146	+
	147	+
	148	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 3 1
	149	+	2
	150	+	3
	151	+	4
	152	+	5
	153	+	6
	154	+	7
	155	+	8
	156	+	9
	157	+	10
	158	+	11
	159	+	12
	160	+	13
	161	+	14
	162	+	15
	163	+	16
	164	+	17
	165	+	18
	166	+	19
	167	+	20
	168	+	21
	169	+	22
	170	+	23
	171	+	24
54	172
55	173		BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
56		-
57	174		SECTION 1. NEW LAW A new section of law to be codified
58	175		in the Oklahoma Statutes as Section 670 of Title 36, unless there is
59	176		created a duplication in numb ering, reads as follows:
60		-
61	177		This act shall be known and may be cited as the “Insurance Data
62	178		Security Act”.
63		-
64	179		SECTION 2. NEW LAW A new section of law to be codified
65	180		in the Oklahoma Statutes as Section 671 of Title 36, unless there is
66	181		created a duplication in numb ering, reads as follows:
67		-
68	182		A. Notwithstanding any other provision of law, the provisions
69	183		of this act shall be the exclusive state law for licensees subject
70	184		to the jurisdiction of the Insurance Commissioner for data security,
71	185		the investigation of a cybersecurity event, and notification to the
72	186		Commissioner.
73		-
74	187		B. This act shall not be construed to creat e or imply a private
75	188		cause of action for violations of its provisions.
76		-
77	189		SECTION 3. NEW LAW A new section of law to be codified
78	190		in the Oklahoma Statutes as Section 672 of Title 36, unless there is
79	191		created a duplication in numbering, reads as follows:
80		-
81	192		As used in this act:
82		-
83	193		1. “Authorized individual” means an individual known to and
84	194		screened by the licensee and determined to be necessary and
85	195		appropriate to have access to th e nonpublic information held by the
86	196		licensee and its information systems;
87	197
	198	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 4 1
	199	+	2
	200	+	3
	201	+	4
	202	+	5
	203	+	6
	204	+	7
	205	+	8
	206	+	9
	207	+	10
	208	+	11
	209	+	12
	210	+	13
	211	+	14
	212	+	15
	213	+	16
	214	+	17
	215	+	18
	216	+	19
	217	+	20
	218	+	21
	219	+	22
	220	+	23
	221	+	24
	222	+
88	223		2. “Commissioner” means the Insurance Commissioner;
89		-
90		-
91		-	ENR. S. B. NO. 543 Page 3
92	224		3. “Consumer” means an individual, including but not limited to
93	225		applicants, policyholders, insureds, beneficiaries, claimants, and
94	226		certificate holders, who is a resident of this state and whose
95	227		nonpublic information is in the possession, custody, or control of a
96	228		licensee;
97		-
98	229		4. “Cybersecurity event” means an event resulting in
99	230		unauthorized access to or disruption or misuse of an information
100	231		system or nonpublic information stored on the information system.
101	232		The term cybersecurity event shall not include the unauthorized
102	233		acquisition of encrypted nonpublic information if the encryption,
103	234		process, or key is not also acquired, released , or used without
104	235		authorization. Cybersecurity event shall not include an event in
105	236		which the licensee has determined tha t the nonpublic info rmation
106	237		accessed by an unauthorized person has not been used or released and
107	238		has been returned or destroyed ;
108		-
109	239		5. “Department” means the Insurance Department;
110		-
111	240		6. “Encrypted” means the transformation of data into a form
112	241		which results in a low probability of assigning meaning without the
113	242		use of a protective process or key;
114		-
115	243		7. “Information security program ” means the administrative,
116	244		technical, and physical safeguards that a licensee u ses to access,
117	245		collect, distribute, process, protect, st ore, use, transmit, dispose
118	246		of, or otherwise handle nonpublic information;
	247	+
	248	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 5 1
	249	+	2
	250	+	3
	251	+	4
	252	+	5
	253	+	6
	254	+	7
	255	+	8
	256	+	9
	257	+	10
	258	+	11
	259	+	12
	260	+	13
	261	+	14
	262	+	15
	263	+	16
	264	+	17
	265	+	18
	266	+	19
	267	+	20
	268	+	21
	269	+	22
	270	+	23
	271	+	24
119	272
120	273		8. “Information system” means a discrete set of electro nic
121	274		information resources organized for the collection, processing,
122	275		maintenance, use, sharing, dissemination or disposi tion of nonpublic
123	276		information, as well as any specialized system such as industrial or
124	277		process controls systems, telephone switching and private branch
125	278		exchange systems, and environmental control systems;
126		-
127	279		9. “Licensee” means any person licensed, authorized to o perate,
128	280		or registered, or required to be licensed, authorized to operate, or
129	281		registered, pursuant to Title 36 of the Oklahoma Statutes; prov ided,
130	282		however, that it shall not include a purchasing group or a risk
131	283		retention group chartered and licensed in a st ate other than this
132	284		state or a person that is acting as an assuming insurer that is
133	285		domiciled in another state or jurisdiction;
134		-
135		-	ENR. S. B. NO. 543 Page 4
136		-
137	286		10. “Multi-factor authentication” means authentication through
138	287		verification of at least two (2) of the following types of
139	288		authentication factors:
140		-
141	289		a. knowledge factors, such as a password ,
142		-
143	290		b. possession factors, such as a token or text message on
144	291		a mobile phone, or
145		-
146	292		c. inherence factors, such as a biometric characteristic;
147		-
148	293		11. “Nonpublic information” means electronic information th at
149	294		is not publicly available and is:
150		-
151	295		a. business related information of a licensee, of which
152	296		the tampering with or unauthorized disclosure, access,
	297	+
	298	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 6 1
	299	+	2
	300	+	3
	301	+	4
	302	+	5
	303	+	6
	304	+	7
	305	+	8
	306	+	9
	307	+	10
	308	+	11
	309	+	12
	310	+	13
	311	+	14
	312	+	15
	313	+	16
	314	+	17
	315	+	18
	316	+	19
	317	+	20
	318	+	21
	319	+	22
	320	+	23
	321	+	24
	322	+
153	323		or use of would cause a material adverse impact to the
154	324		business, operations, or security of the licensee ,
155		-
156	325		b. any information concerning a consumer that, because of
157	326		name, number, personal mark, or other identifier, can
158	327		be used to identify him or her , in combination with
159	328		any one or more of the following data elements:
160		-
161	329		(1) social security number,
162		-
163	330		(2) driver license number or nondriver identification
164	331		card number,
165		-
166	332		(3) financial account number, credit card number, or
167	333		debit card number,
168		-
169	334		(4) any security code, access code, or password that
170	335		would permit access to a consumer’s financial
171	336		account, or
172		-
173	337		(5) biometric records, or
174		-
175	338		c. any information or data, except age or gender, in any
176	339		form or medium created by or derived from a health
177		-
178		-	ENR. S. B. NO. 543 Page 5
179	340		care provider or a consumer th at can be used to
180	341		identify a particular consumer and that relates to:
181		-
182	342		(1) the past, present, or future physical, men tal, or
183	343		behavioral health or condition of any consumer or
184	344		a member of the family of the consumer,
185		-
186	345		(2) the provision of health care to any co nsumer, or
	346	+
	347	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 7 1
	348	+	2
	349	+	3
	350	+	4
	351	+	5
	352	+	6
	353	+	7
	354	+	8
	355	+	9
	356	+	10
	357	+	11
	358	+	12
	359	+	13
	360	+	14
	361	+	15
	362	+	16
	363	+	17
	364	+	18
	365	+	19
	366	+	20
	367	+	21
	368	+	22
	369	+	23
	370	+	24
187	371
188	372		(3) payment for the provision of health care to any
189	373		consumer;
190		-
191	374		12. “Person” means any individual or any nongovernmental
192	375		entity including, but not limited to, any nongovernmental
193	376		partnership, corporation, branch, agency, or association;
194		-
195	377		13. “Publicly available information” means any information that
196	378		a licensee has reasonable basis to believe is lawfully made
197	379		available to the gener al public from federal, state, or local
198	380		government records, widely distributed media, or disclosures to the
199	381		general public that are required to be made by federal, state, or
200	382		local law. For the purposes of this definition, a licensee has a
201	383		reasonable basis to believe that information is lawfully made
202	384		available to the general public if the licensee has taken steps to
203	385		determine:
204		-
205	386		a. that the information is of the type that is available
206	387		to the general public, and
207		-
208	388		b. whether a consumer can direct that the information not
209	389		be made available to the general public and, if so,
210	390		that such consumer has not done so; and
211		-
212	391		14. “Third-party service provider” means a person, not
213	392		otherwise defined as a licensee, that contracts with a licensee to
214	393		maintain, process, store, or otherwise is permitted access to
215	394		nonpublic information through its provision of services to the
216	395		licensee.
217	396
	397	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 8 1
	398	+	2
	399	+	3
	400	+	4
	401	+	5
	402	+	6
	403	+	7
	404	+	8
	405	+	9
	406	+	10
	407	+	11
	408	+	12
	409	+	13
	410	+	14
	411	+	15
	412	+	16
	413	+	17
	414	+	18
	415	+	19
	416	+	20
	417	+	21
	418	+	22
	419	+	23
	420	+	24
	421	+
218	422		SECTION 4. NEW LAW A new section of law to be codified
219	423		in the Oklahoma Statutes as Section 673 of Title 36, unless there is
220	424		created a duplication in numbering, reads as follows:
221		-
222		-	ENR. S. B. NO. 543 Page 6
223		-
224	425		A. Each licensee in this state shall develop, implement, and
225	426		maintain a comprehensive written information security program based
226	427		on the risk assessment of the licensee provided for in t his act and
227	428		that contains administrative, technical, and physical safeguards for
228	429		the protection of nonpublic in formation and the information systems
229	430		of the licensee. The program shall be commensurate with the size and
230	431		complexity of the licensee, the nature and scope of the activities
231	432		of the licensee, including its use of third-party service providers,
232	433		and the sensitivity of the nonpublic information used by the
233	434		licensee or in the possession, custody, or control of the licensee.
234		-
235	435		B. An information security program of a license e shall be
236	436		designed to:
237		-
238	437		1. Protect the security and confidentialit y of nonpublic
239	438		information and the security of the information systems;
240		-
241	439		2. Protect against any threats or hazards to the security or
242	440		integrity of nonpublic information and the information systems;
243		-
244	441		3. Protect against unauthorized access to or use of nonpu blic
245	442		information, and minimize the likelihood o f harm to any consumer;
246	443		and
247	444
	445	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 9 1
	446	+	2
	447	+	3
	448	+	4
	449	+	5
	450	+	6
	451	+	7
	452	+	8
	453	+	9
	454	+	10
	455	+	11
	456	+	12
	457	+	13
	458	+	14
	459	+	15
	460	+	16
	461	+	17
	462	+	18
	463	+	19
	464	+	20
	465	+	21
	466	+	22
	467	+	23
	468	+	24
	469	+
248	470		4. Define and periodically reevaluate a schedule for retention
249	471		of nonpublic information and a mechanism for its destruction when no
250	472		longer needed.
251		-
252	473		C. The licensee shall:
253		-
254	474		1. Designate one or more employees, an affiliate, or an outside
255	475		vendor designated to act on behalf of the licensee who is
256	476		responsible for the information security program;
257		-
258	477		2. Identify reasonably foreseeable internal or external threats
259	478		that could result in unauthorized access, transmission, disclosure,
260	479		misuse, alteration, or destruction of nonpublic information
261	480		including, but not limited to, the security of information systems
262	481		and nonpublic information that are accessible to, or held by, third-
263	482		party service providers;
264		-
265		-
266		-	ENR. S. B. NO. 543 Page 7
267	483		3. Assess the likelihood and potential damage of these threats,
268	484		taking into consideration the sensitivity of the nonpublic
269	485		information;
270		-
271	486		4. Assess the sufficiency of policies, procedures, information
272	487		systems, and other safeguards in place to manage these threats,
273	488		including consideration of threats in each relevant area of the
274	489		operations of the licensee, including:
275		-
276	490		a. employee training and management,
277		-
278	491		b. information systems, including, but not limited to,
279	492		network and software design, as well as information
	493	+
	494	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 10 1
	495	+	2
	496	+	3
	497	+	4
	498	+	5
	499	+	6
	500	+	7
	501	+	8
	502	+	9
	503	+	10
	504	+	11
	505	+	12
	506	+	13
	507	+	14
	508	+	15
	509	+	16
	510	+	17
	511	+	18
	512	+	19
	513	+	20
	514	+	21
	515	+	22
	516	+	23
	517	+	24
	518	+
280	519		classification, governance, processing, storage,
281	520		transmission, and disposal, and
282		-
283	521		c. detecting, preventing, and responding to attacks,
284	522		intrusions, or other systems failures; and
285		-
286	523		5. Implement information safeguards to manage the threats
287	524		identified in its ongoing assessment, and no less than annuall y,
288	525		assess the effectiveness of the key controls, systems, and
289	526		procedures of the safeguards.
290		-
291	527		D. Based on the results of the risk assessment, the licensee
292	528		shall:
293		-
294	529		1. Design its information security program to mitigate the
295	530		identified risks, commensurate with the size and complexity of the
296	531		licensee, the nature and scope of the a ctivities of the licensee
297	532		including its use of third-party service providers, and the
298	533		sensitivity of the nonpublic information used by the licensee or in
299	534		the possession, custody, or control of the licensee;
300		-
301	535		2. Determine and implement security measures deemed
302	536		appropriate, including:
303		-
304	537		a. place access controls on information systems
305	538		including controls to authenticate and permit access
306	539		only to authorized individuals to protect against the
307	540		unauthorized acquisition of nonpublic information,
308		-
309		-
310		-	ENR. S. B. NO. 543 Page 8
311	541		b. identify and manage the data, personnel, devices,
312	542		systems, and facilities that enable the organization
	543	+
	544	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 11 1
	545	+	2
	546	+	3
	547	+	4
	548	+	5
	549	+	6
	550	+	7
	551	+	8
	552	+	9
	553	+	10
	554	+	11
	555	+	12
	556	+	13
	557	+	14
	558	+	15
	559	+	16
	560	+	17
	561	+	18
	562	+	19
	563	+	20
	564	+	21
	565	+	22
	566	+	23
	567	+	24
	568	+
313	569		to achieve business purposes in acco rdance with their
314	570		relative importance to business objectives and the
315	571		risk strategy of the organization,
316		-
317	572		c. restrict physical access to nonpublic information to
318	573		authorized individuals only,
319		-
320	574		d. protect by encryption or other appropriate means, all
321	575		nonpublic information while being transmitted over an
322	576		external network and all nonpublic information stored
323	577		on a laptop computer or other portable computing or
324	578		storage device or media,
325		-
326	579		e. adopt secure development practices for in-house
327	580		developed applications utilized by the licensee,
328		-
329	581		f. modify the information system in accordance with the
330	582		information security program of the licensee,
331		-
332	583		g. utilize effective controls, which may include multi-
333	584		factor authentication procedures for any authorized
334	585		individual accessing nonpublic information,
335		-
336	586		h. regularly test and monitor systems and procedures to
337	587		detect actual and attempted attacks on, or intrusions
338	588		into, information systems,
339		-
340	589		i. include audit trails within the information security
341	590		program designed to detect and respond to
342	591		cybersecurity events and designed to reconstruct
	592	+
	593	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 12 1
	594	+	2
	595	+	3
	596	+	4
	597	+	5
	598	+	6
	599	+	7
	600	+	8
	601	+	9
	602	+	10
	603	+	11
	604	+	12
	605	+	13
	606	+	14
	607	+	15
	608	+	16
	609	+	17
	610	+	18
	611	+	19
	612	+	20
	613	+	21
	614	+	22
	615	+	23
	616	+	24
	617	+
343	618		material financial transactions sufficient to support
344	619		normal operations and obligations of the licensee,
345		-
346	620		j. implement measures to protect against destruction,
347	621		loss, or damage of nonpublic information due to
348	622		environmental hazards such as fire and water damage or
349	623		other catastrophic events or technological failures,
350	624		and
351		-
352		-
353		-	ENR. S. B. NO. 543 Page 9
354	625		k. develop, implement, and maintain procedures for the
355	626		secure disposal of nonpublic information in any format;
356		-
357	627		3. Include cybersecurity risks in the enterprise risk management
358	628		process of the licensee;
359		-
360	629		4. Stay informed regarding emerging threats or vulnerabilities
361	630		and utilize reasonable security measures when sharing information
362	631		relative to the character of the sharing and the type of information
363	632		shared; and
364		-
365	633		5. Provide its personnel with cybersecurity awareness training
366	634		that is updated as necessary to reflect risks identified by the
367	635		licensee in the risk assessment.
368		-
369	636		E. If the licensee has a board of directors, the board or an
370	637		appropriate committee of the board , at a minimum, within one year of
371	638		the effective date of thi s act, shall:
372		-
373	639		1. Require the executive management of the licensee or its
374	640		delegates to develop, implement, and maintain the information
375	641		security program of the licensee;
376	642
	643	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 13 1
	644	+	2
	645	+	3
	646	+	4
	647	+	5
	648	+	6
	649	+	7
	650	+	8
	651	+	9
	652	+	10
	653	+	11
	654	+	12
	655	+	13
	656	+	14
	657	+	15
	658	+	16
	659	+	17
	660	+	18
	661	+	19
	662	+	20
	663	+	21
	664	+	22
	665	+	23
	666	+	24
	667	+
377	668		2. Require the executive management of the licensee or its
378	669		delegates to report to the Insurance Commissioner in writing, at
379	670		least annually, the following information:
380		-
381	671		a. the overall status of the information security program
382	672		and the compliance of the licensee with this act, and
383		-
384	673		b. material matters related to the information security
385	674		program, addressing issues such as risk assessment,
386	675		risk management and control decisions, third-party
387	676		service provider arrangements, results of testing,
388	677		cybersecurity events or violations and responses of
389	678		the management to those events or violations, and
390	679		recommendations for changes in t he information
391	680		security program; and
392		-
393	681		3. If executive management delegates any of its
394	682		responsibilities, it shall oversee the development, implementation ,
395	683		and maintenance of the information security program of the licensee
396		-
397		-	ENR. S. B. NO. 543 Page 10
398	684		prepared by the delegate or delega tes and shall receive a report
399	685		from the delegate or delegates complying with the requirements of
400	686		the report to the board.
401		-
402	687		F. A licensee shall exercise due diligence in selecting its
403	688		third-party service provider and shall require t he provider to
404	689		implement appropriate administrative, technical, and physical
405	690		measures to protect and secure the information systems and nonpublic
	691	+
	692	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 14 1
	693	+	2
	694	+	3
	695	+	4
	696	+	5
	697	+	6
	698	+	7
	699	+	8
	700	+	9
	701	+	10
	702	+	11
	703	+	12
	704	+	13
	705	+	14
	706	+	15
	707	+	16
	708	+	17
	709	+	18
	710	+	19
	711	+	20
	712	+	21
	713	+	22
	714	+	23
	715	+	24
	716	+
406	717		information that are accessible to, or held by, the third-party
407	718		service provider.
408		-
409	719		G. The licensee shall monito r, evaluate, and adjust, as
410	720		appropriate, the information security program consistent with any
411	721		relevant changes in technology, the sensitivity of its nonpublic
412	722		information, internal o r external threats to information and the
413	723		changing business arrangements o f the licensee, such as mergers and
414	724		acquisitions, alliances and joint ventures, outsourcing
415	725		arrangements, and changes to information systems.
416		-
417	726		H. As part of its information s ecurity program, each licensee
418	727		shall establish a written incident response plan de signed to
419	728		promptly respond to, and recover from, any cybersecurity event that
420	729		compromises the confidentiality, integrity, or availability of
421	730		nonpublic information in its possession, the information systems of
422	731		the licensee, or the continuing functionality o f any aspect of the
423	732		business or operations of the licensee.
424		-
425	733		The incident response plan shall addres s the following areas:
426		-
427	734		1. The internal process for responding to a cybersecurity
428	735		event;
429		-
430	736		2. The goals of the incident response plan;
431		-
432	737		3. The definition of clear roles, responsibilities, and levels
433	738		of decision-making authority;
434		-
435	739		4. External and internal com munications and information
436	740		sharing;
437	741
438		-
439		-	ENR. S. B. NO. 543 Page 11
	742	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 15 1
	743	+	2
	744	+	3
	745	+	4
	746	+	5
	747	+	6
	748	+	7
	749	+	8
	750	+	9
	751	+	10
	752	+	11
	753	+	12
	754	+	13
	755	+	14
	756	+	15
	757	+	16
	758	+	17
	759	+	18
	760	+	19
	761	+	20
	762	+	21
	763	+	22
	764	+	23
	765	+	24
	766	+
440	767		5. Identification of requirements for the remediation of any
441	768		identified weaknesses in information systems and associat ed
442	769		controls;
443		-
444	770		6. Documentation and reporting regarding cybersecurity events
445	771		and related incident res ponse activities; and
446		-
447	772		7. The evaluation and revision as necessary of the incident
448	773		response plan following a cybersecurity event.
449		-
450	774		I. Annually, each insurer domiciled in this state shall submit
451	775		to the Commissioner a written statement by April 15, certifying that
452	776		the insurer complies with the requirements set forth in this section.
453	777		Each insurer shall maintain, for examination by the Insurance
454	778		Department, all records, schedules, and data supporting this
455	779		certificate for a period of five (5) years. To the extent an
456	780		insurer has identified areas, systems, or processes that require
457	781		material improvement, updating, or redesign, the insurer shall
458	782		document the identification and the remedial efforts planned and
459	783		underway to address such areas, systems, or processes. The
460	784		documentation shall be available for inspection by the Commissioner
461	785		upon request.
462		-
463	786		SECTION 5. NEW LAW A new section of law to be codified
464	787		in the Oklahoma Statutes as Section 674 of Title 36, unless there is
465	788		created a duplication in numbering, reads as follows:
466		-
467	789		A. If the licensee learns that a cybersecurity event has or
468	790		may have occurred, the licensee, or an outside vendor or service
	791	+
	792	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 16 1
	793	+	2
	794	+	3
	795	+	4
	796	+	5
	797	+	6
	798	+	7
	799	+	8
	800	+	9
	801	+	10
	802	+	11
	803	+	12
	804	+	13
	805	+	14
	806	+	15
	807	+	16
	808	+	17
	809	+	18
	810	+	19
	811	+	20
	812	+	21
	813	+	22
	814	+	23
	815	+	24
	816	+
469	817		provider designated to act on behalf of the licensee, shall conduct
470	818		a prompt investigation.
471		-
472	819		B. During the investigation, the licensee, or an outside vendor
473	820		or service provider des ignated to act on behalf of the licensee,
474	821		shall, at a minimum:
475		-
476	822		1. Determine whether a cybersecuri ty event has occurred;
477		-
478	823		2. Assess the nature and scope of the cybersecurity eve nt;
479		-
480	824		3. Identify any nonpublic information that may have been
481	825		involved in the cybersecurity event; and
482		-
483		-	ENR. S. B. NO. 543 Page 12
484		-
485	826		4. Perform or oversee r easonable measures to rest ore the
486	827		security of the information systems compromised in the cybersecurity
487	828		event in order to prevent further unauthorized acquisition, release,
488	829		or use of nonpublic information in th e possession, custody, or
489	830		control of the licensee .
490		-
491	831		C. If the licensee learns that a cybersecurity event has or may
492	832		have occurred in a syst em maintained by a third-party service
493	833		provider, the licensee shall complete the steps listed in subsection
494	834		B of this section or confirm and document that the third -party
495	835		service provider has completed those steps.
496		-
497	836		D. The licensee shall maintain records concerning all
498	837		cybersecurity events for a period of at least five (5) years from
499	838		the date of the cybersecurity event and shall produce those records
500	839		upon request by the Insurance Commissioner.
501	840
	841	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 17 1
	842	+	2
	843	+	3
	844	+	4
	845	+	5
	846	+	6
	847	+	7
	848	+	8
	849	+	9
	850	+	10
	851	+	11
	852	+	12
	853	+	13
	854	+	14
	855	+	15
	856	+	16
	857	+	17
	858	+	18
	859	+	19
	860	+	20
	861	+	21
	862	+	22
	863	+	23
	864	+	24
	865	+
502	866		SECTION 6. NEW LAW A new section of law to be codified
503	867		in the Oklahoma Statutes as Section 675 of Title 36, unless there is
504	868		created a duplication in numb ering, reads as follows:
505		-
506	869		A. Every licensee shall notify the Insurance Commis sioner
507	870		without unreasonable delay, but not later than three busine ss days,
508	871		from a determination that a cybersecurity event involving nonpublic
509	872		information that is in the possession of a licensee has occurred
510	873		when either of the following criteria has been m et:
511		-
512	874		1. This state is the state of domicile of the licensee, in the
513	875		case of an insurer, or this state i s the home state of the licensee,
514	876		in the case of a producer, as those terms are defined in the
515	877		Oklahoma Producer Licensing Act, Sections 1435.1 thro ugh 1435.41 of
516	878		Title 36 of the Oklahoma Statutes, and the cybersecurity event has a
517	879		reasonable likelihood of materially harming any material part of the
518	880		normal operations of the licensee or any consumer residing in this
519	881		state; or
520		-
521	882		2. The licensee reasonably bel ieves that the nonpublic
522	883		information involved is of two hundred fi fty (250) or more consumers
523	884		residing in this state and is either of the following:
524		-
525		-
526		-	ENR. S. B. NO. 543 Page 13
527	885		a. a cybersecurity event impacting the licensee of which
528	886		notice is required to be provided to any governmen t
529	887		body, self-regulatory agency, or any other supervisory
530	888		body pursuant to any state or federal law, or
531	889
	890	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 18 1
	891	+	2
	892	+	3
	893	+	4
	894	+	5
	895	+	6
	896	+	7
	897	+	8
	898	+	9
	899	+	10
	900	+	11
	901	+	12
	902	+	13
	903	+	14
	904	+	15
	905	+	16
	906	+	17
	907	+	18
	908	+	19
	909	+	20
	910	+	21
	911	+	22
	912	+	23
	913	+	24
	914	+
532	915		b. a cybersecurity event that has a reasonable likelihood
533	916		of materially harming:
534		-
535	917		(1) any consumer residing in this state , or
536		-
537	918		(2) any material part of the normal operation or
538	919		operations of the licensee.
539		-
540	920		B. The licensee making the notification required in su bsection
541	921		A of this section shall provide as much of the following information
542	922		as possible, electronically in the manner and form prescribed by the
543	923		Commissioner, along with any applicable fees. The licensee shall
544	924		have a continuing obligation to update and s upplement initial and
545	925		subsequent notifications to the Commissioner regarding material
546	926		changes to previously provided information relating to the
547	927		cybersecurity event. The licensee shall provide:
548		-
549	928		1. Date of the cybersecurity event;
550		-
551	929		2. Description of how t he information was exposed, lost,
552	930		stolen, or breached including, but not limited to, the specific
553	931		roles and responsibilities of third-party service providers, if any;
554		-
555	932		3. How the cybersecurity event was discovered;
556		-
557	933		4. Whether any lost, stolen, or breached information has been
558	934		recovered and, if so, how this was done;
559		-
560	935		5. The identity of the source of the cybersecurity event;
561		-
562	936		6. Whether the licensee has filed a police report or has
563	937		notified any regulatory, government , or law enforcement agencies
564	938		and, if so, when such notification was provided;
565	939
	940	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 19 1
	941	+	2
	942	+	3
	943	+	4
	944	+	5
	945	+	6
	946	+	7
	947	+	8
	948	+	9
	949	+	10
	950	+	11
	951	+	12
	952	+	13
	953	+	14
	954	+	15
	955	+	16
	956	+	17
	957	+	18
	958	+	19
	959	+	20
	960	+	21
	961	+	22
	962	+	23
	963	+	24
	964	+
566	965		7. Description of the specific ty pes of information acquired
567	966		without authorization. The term “specific types of information”
568	967		means particular data elements including, but not li mited to, types
569		-
570		-	ENR. S. B. NO. 543 Page 14
571	968		of medical information, financial information, or information
572	969		allowing identification of the con sumer;
573		-
574	970		8. The period during which the information system was
575	971		compromised by the cybersecurity event;
576		-
577	972		9. The number of total consumers in this state affected by the
578	973		cybersecurity event. The licensee shall provide the best estimate
579	974		in the initial report t o the Commissioner and update this estimate
580	975		with each subsequent report to the Commissioner pursuant t o this
581	976		section;
582		-
583	977		10. The results of any in ternal review identifying a lapse in
584	978		either automated controls or internal procedures, or confirming that
585	979		all automated controls or internal procedures were followed;
586		-
587	980		11. Description of efforts being undertaken to remediate the
588	981		situation which permitted t he cybersecurity event to occur;
589		-
590	982		12. A copy of the privacy policy of the licensee and a
591	983		statement outlining the steps the licensee will take to investigate
592	984		and notify consumers affected by the cybersecurity event; and
593		-
594	985		13. Name of a contact person who is both familiar with the
595	986		cybersecurity event and authorized to act for the licensee.
596		-
597	987		C. A licensee shall comply w ith the procedures of the Security
598	988		Breach Notification Act, Section 161 et seq . of Title 24 of the
	989	+
	990	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 20 1
	991	+	2
	992	+	3
	993	+	4
	994	+	5
	995	+	6
	996	+	7
	997	+	8
	998	+	9
	999	+	10
	1000	+	11
	1001	+	12
	1002	+	13
	1003	+	14
	1004	+	15
	1005	+	16
	1006	+	17
	1007	+	18
	1008	+	19
	1009	+	20
	1010	+	21
	1011	+	22
	1012	+	23
	1013	+	24
	1014	+
599	1015		Oklahoma Statutes, to notify affected consume rs and provide a copy
600	1016		of the notice sent to consumers under that statute to the
601	1017		Commissioner, when a licensee is required to notify the Commissioner
602	1018		under subsection A of this section.
603		-
604	1019		D. 1. In the case of a cybe rsecurity event in a system
605	1020		maintained by a third-party service provider, of which the licensee
606	1021		has become aware, the licensee shall treat the event as it would
607	1022		under subsection A of this section unless the third -party service
608	1023		provider provides the notice required under subsection A of this
609	1024		section to the Commissioner and the licensee.
610		-
611	1025		2. The computation of deadlines of the licensee shall begin on
612	1026		the day after the third-party service provider notifies the licensee
613		-
614		-	ENR. S. B. NO. 543 Page 15
615	1027		of the cybersecurity event or the license e otherwise has actual
616	1028		knowledge of the cybersecurity event, whichever is sooner.
617		-
618	1029		3. Nothing in this act shall prevent or abrogate an agreement
619	1030		between a licensee and another licensee, a third -party service
620	1031		provider, or any other party to fulfill any of the investigation
621	1032		requirements or notice requirements imposed under this act.
622		-
623	1033		E. 1. In the case of a cybersecurity event involving nonpublic
624	1034		information that is used by the licensee that is acting as an
625	1035		assuming insurer, or in the possession, custody, or control of a
626	1036		licensee, that is acti ng as an assuming insurer and that does not
627	1037		have a direct contractual relationship with the affected consumers,
628	1038		the assuming insurer shall notify its affected ceding insurers and
	1039	+
	1040	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 21 1
	1041	+	2
	1042	+	3
	1043	+	4
	1044	+	5
	1045	+	6
	1046	+	7
	1047	+	8
	1048	+	9
	1049	+	10
	1050	+	11
	1051	+	12
	1052	+	13
	1053	+	14
	1054	+	15
	1055	+	16
	1056	+	17
	1057	+	18
	1058	+	19
	1059	+	20
	1060	+	21
	1061	+	22
	1062	+	23
	1063	+	24
	1064	+
629	1065		the Commissioner of its state of domicile within three (3) business
630	1066		days of making the determination that a cybersecurity event has
631	1067		occurred. The ceding insurers that have a direct contractual
632	1068		relationship with affected consumers shall fulfill the consumer
633	1069		notification requirements imposed under the Security Breach
634	1070		Notification Act, Section 161 et seq. of Title 24 of the Oklahoma
635	1071		Statutes, and any other notification requirements relating to a
636	1072		cybersecurity event imposed under this section.
637		-
638	1073		2. In the case of a cybers ecurity event involving nonpublic
639	1074		information that is in the posse ssion, custody, or control of a
640	1075		third-party service provider of a licensee that is an assuming
641	1076		insurer, the assuming i nsurer shall notify its affected ceding
642	1077		insurers and the Commissioner of its state of domicile within three
643	1078		(3) business days of receiving notice from its third-party service
644	1079		provider that a cybersecurity event has occurred. The ceding
645	1080		insurers that have a direct contractual relationship with affected
646	1081		consumers shall fulfill the consumer notification requirements
647	1082		imposed under Security Brea ch Notification Act, Section 161 et seq.
648	1083		of Title 24 of the Oklahoma Statutes, and any other notification
649	1084		requirements relating to a cybersecurity event imposed under this
650	1085		section.
651		-
652	1086		F. In the case of a cybersecurity event involving nonpublic
653	1087		information that is in the possession, custody, or control of a
654	1088		licensee that is an insurer or its third-party service provider for
	1089	+
	1090	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 22 1
	1091	+	2
	1092	+	3
	1093	+	4
	1094	+	5
	1095	+	6
	1096	+	7
	1097	+	8
	1098	+	9
	1099	+	10
	1100	+	11
	1101	+	12
	1102	+	13
	1103	+	14
	1104	+	15
	1105	+	16
	1106	+	17
	1107	+	18
	1108	+	19
	1109	+	20
	1110	+	21
	1111	+	22
	1112	+	23
	1113	+	24
	1114	+
655	1115		which a consumer accessed the services of the insurer through an
656	1116		independent insurance producer, and for which consumer notice is
657		-
658		-	ENR. S. B. NO. 543 Page 16
659	1117		required by this act or the Security Breach Notification Act,
660	1118		Section 161 et seq. of Title 24 of the Oklahoma Statutes, the
661	1119		insurer shall notify the producers of record of all affected
662	1120		consumers of the cybersecurity event no later than the time at which
663	1121		notice is provided to the affected consumers. The insurer is
664	1122		excused from this obligation for any producers who are not
665	1123		authorized by law or contract to sell, solicit , or negotiate on
666	1124		behalf of the insurer, and in those instances in which the insurer
667	1125		does not have the current producer of record information for an
668	1126		individual consumer. Any licensee acting as an assuming insurer
669	1127		shall have no other notice obligations relating to a cybersecurity
670	1128		event or other data breach under this section or any other law of
671	1129		this state.
672		-
673	1130		SECTION 7. NEW LAW A new section of law to be codified
674	1131		in the Oklahoma Statutes as Section 676 of Title 36, unless there is
675	1132		created a duplication in numb ering, reads as follows:
676		-
677	1133		A. The Insurance Commissioner shall have power to examine and
678	1134		investigate the affairs of any licensee to determine whether the
679	1135		licensee has been or is engaged in any conduct in violation of the
680	1136		provisions of this act or any rules promulgat ed thereto. This power
681	1137		is in addition to the powers which the Commissioner has under
682	1138		applicable provisions of the Insurance Code including, but not
	1139	+
	1140	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 23 1
	1141	+	2
	1142	+	3
	1143	+	4
	1144	+	5
	1145	+	6
	1146	+	7
	1147	+	8
	1148	+	9
	1149	+	10
	1150	+	11
	1151	+	12
	1152	+	13
	1153	+	14
	1154	+	15
	1155	+	16
	1156	+	17
	1157	+	18
	1158	+	19
	1159	+	20
	1160	+	21
	1161	+	22
	1162	+	23
	1163	+	24
	1164	+
683	1165		limited to, Sections 309.1 through 309.6, 332, and 1250.4 of Title
684	1166		36 of the Oklahoma Statutes .
685		-
686	1167		B. Whenever the Commissioner has reason to believe that a
687	1168		licensee has been or is engaged in conduct in this state that
688	1169		violates any provision of this act, the Commissioner may take action
689	1170		that is necessary or appropriate to enforce the provisi ons.
690		-
691	1171		SECTION 8. NEW LAW A new section of law to be codified
692	1172		in the Oklahoma Statutes as Section 677 of Title 36, unless there is
693	1173		created a duplication in numbering, reads as follows:
694		-
695	1174		A. Any documents, materials , or other information in the
696	1175		control or possession of the Insurance Department that are furnished
697	1176		by a licensee or an employee or agent thereof acting on behalf of a
698	1177		licensee pursuant to the provisions of Section 4 and Section 6 of
699	1178		this act or that are obtained by the Insuran ce Commissioner in an
700	1179		investigation or examination pursuant to Section 7 of this act shall
701		-
702		-	ENR. S. B. NO. 543 Page 17
703	1180		be confidential by law and privileged, shall not be subject to the
704	1181		Oklahoma Open Records Act, shall not be subject to subpoena, and
705	1182		shall not be subject to discover y or admissible in evid ence in any
706	1183		private civil action. However, the Commissioner is au thorized to
707	1184		use the documents, materials, or other information in the
708	1185		furtherance of any regulatory or legal action brought as a part of
709	1186		the Commissioner’s duties. The Commissioner shall no t otherwise
710	1187		make the documents, materials, or other information pu blic without
711	1188		the prior written consent of the licensee.
712	1189
	1190	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 24 1
	1191	+	2
	1192	+	3
	1193	+	4
	1194	+	5
	1195	+	6
	1196	+	7
	1197	+	8
	1198	+	9
	1199	+	10
	1200	+	11
	1201	+	12
	1202	+	13
	1203	+	14
	1204	+	15
	1205	+	16
	1206	+	17
	1207	+	18
	1208	+	19
	1209	+	20
	1210	+	21
	1211	+	22
	1212	+	23
	1213	+	24
	1214	+
713	1215		B. Neither the Commissioner nor any person who received
714	1216		documents, materials , or other information while acting under the
715	1217		authority of the Commissioner shall be permitted or required to
716	1218		testify in any private civil action concerning any confidential
717	1219		documents, materials, or information subject to subsection A of this
718	1220		section.
719		-
720	1221		C. In order to assist in the perf ormance of the duties of th e
721	1222		Commissioner under this act, the Commissioner:
722		-
723	1223		1. May share documents, materials, or other information
724	1224		including the confidential and privileged documents, materials, or
725	1225		information subject to subsection A of this section, with other
726	1226		state, federal, and international regulatory agencies, with the
727	1227		National Association of Insurance Commissioners and its affiliates
728	1228		or subsidiaries and with state, federal, and international law
729	1229		enforcement authorities; provided, that the recipient agrees in
730	1230		writing to maintain the confidentiality and privileged status of the
731	1231		document, material, or other information;
732		-
733	1232		2. May receive documents, materials, or information including
734	1233		otherwise confidential and privileged documents, materials , or
735	1234		information, from the National Association of Insurance
736	1235		Commissioners, its affiliates or subsidiaries , and from regulatory
737	1236		and law enforcement officials of other foreign or domestic
738	1237		jurisdictions, and shall maintain as confidential or privileged any
739	1238		document, material, or information received with notice or the
	1239	+
	1240	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 25 1
	1241	+	2
	1242	+	3
	1243	+	4
	1244	+	5
	1245	+	6
	1246	+	7
	1247	+	8
	1248	+	9
	1249	+	10
	1250	+	11
	1251	+	12
	1252	+	13
	1253	+	14
	1254	+	15
	1255	+	16
	1256	+	17
	1257	+	18
	1258	+	19
	1259	+	20
	1260	+	21
	1261	+	22
	1262	+	23
	1263	+	24
	1264	+
740	1265		understanding that it is confidential or priv ileged under the laws
741	1266		of the jurisdiction that is the source of the document, material, or
742	1267		information;
743		-
744		-
745		-	ENR. S. B. NO. 543 Page 18
746	1268		3. May share documents, materials, or other information subject
747	1269		to subsection A of this section, with a third-party consultant or
748	1270		vendor; provided, the consultant agrees in writing to maintain the
749	1271		confidentiality and privileged status of the document, material, or
750	1272		other information; and
751		-
752	1273		4. May enter into agreements governing sharing and use of
753	1274		information consistent with this subsection.
754		-
755	1275		D. No waiver of any applicable privilege or claim of
756	1276		confidentiality in the documents, materials, or information shall
757	1277		occur as a result of disclosure to the Insurance Commissioner under
758	1278		this section or as a result of sharing as authorized in subsection C
759	1279		of this section.
760		-
761	1280		E. Nothing in this act shall prohibit the Commissioner from
762	1281		releasing final, adjudicated actions that are open to public
763	1282		inspection pursuant to the Oklahoma Open Records Act, to a database
764	1283		or other clearinghouse service maintained by the National
765	1284		Association of Insurance Commissioners, its affiliates, or
766	1285		subsidiaries.
767		-
768	1286		F. Documents, materials, or other information in the possession
769	1287		or control of the National Association of Insur ance Commissioners or
770	1288		a third-party consultant or vendor pursuant to this ac t shall not be
	1289	+
	1290	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 26 1
	1291	+	2
	1292	+	3
	1293	+	4
	1294	+	5
	1295	+	6
	1296	+	7
	1297	+	8
	1298	+	9
	1299	+	10
	1300	+	11
	1301	+	12
	1302	+	13
	1303	+	14
	1304	+	15
	1305	+	16
	1306	+	17
	1307	+	18
	1308	+	19
	1309	+	20
	1310	+	21
	1311	+	22
	1312	+	23
	1313	+	24
	1314	+
771	1315		construed to be public information, shall not be subject to the
772	1316		Oklahoma Open Records Act, shall not be subject to subpoena, and
773	1317		shall not be subject to discovery or adm issible as evidence in any
774	1318		private civil action.
775		-
776	1319		SECTION 9. NEW LAW A new section of law to be codified
777	1320		in the Oklahoma Statutes as Section 678 of Title 36, unless there is
778	1321		created a duplication in numbering, reads as follows:
779		-
780	1322		A. The Insurance Commissioner may promulgate any rules
781	1323		necessary to carry ou t the provisions of this section.
782		-
783	1324		B. 1. The following exceptions shall apply to this act:
784		-
785	1325		a. a licensee with less than Five Million Dollars
786	1326		($5,000,000.00) in gross annual revenue, is exempt
787	1327		from this act,
788		-
789		-	ENR. S. B. NO. 543 Page 19
790		-
791	1328		b. a licensee subject to the Health Insurance Po rtability
792	1329		and Accountability Act, Pub . L. 104–191, 110 Stat.
793	1330		1936, as amended, that has established and maintains
794	1331		an information security program pursuant to such
795	1332		statutes, rules, regulation s, procedures, or
796	1333		guidelines established thereunder, will be considered
797	1334		to meet the requirements of Section 4 of this act,
798	1335		provided that the licensee is compliant with and
799	1336		submits a written statement to the Commission er
800	1337		certifying its compliance with the same,
801	1338
	1339	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 27 1
	1340	+	2
	1341	+	3
	1342	+	4
	1343	+	5
	1344	+	6
	1345	+	7
	1346	+	8
	1347	+	9
	1348	+	10
	1349	+	11
	1350	+	12
	1351	+	13
	1352	+	14
	1353	+	15
	1354	+	16
	1355	+	17
	1356	+	18
	1357	+	19
	1358	+	20
	1359	+	21
	1360	+	22
	1361	+	23
	1362	+	24
	1363	+
802	1364		c. a licensee subject to Title V of the federal Gramm -
803	1365		Leach-Bliley Act of 1999 (15 U.S.C. Sections 6801-6809
804	1366		and 6821-6827) that has established and maintains an
805	1367		information security program pursuant to such,
806	1368		statutes, rules, regulations, procedures, or
807	1369		guidelines established thereunder, will be considered
808	1370		to meet the requirements of Section 4 of this act,
809	1371		provided that the licen see is compliant with and
810	1372		submits a written statement to the Commissioner
811	1373		certifying its compliance with the same , and
812		-
813	1374		d. an employee, agent, representative, or designee of a
814	1375		licensee, who is also a licensee, is exempt from this
815	1376		act and shall not be required to develop their own
816	1377		information security program to the extent that the
817	1378		employee, agent, representative , or designee is
818	1379		covered by the information security program of the
819	1380		licensee.
820		-
821	1381		2. If a licensee ceases to qualify for an exception, the
822	1382		licensee shall have one hundred eighty (180) days to comply with the
823	1383		provisions of this act.
824		-
	1384	+	C. In the case of a violation of this act, a licensee may be
	1385	+	penalized in accordance with any applicable sections of the
	1386	+	Insurance Code, including, but not limited to, Section 908 of Title
	1387	+	36 of the Oklahoma Statutes, or any other provisi on providing for
	1388	+
	1389	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 28 1
	1390	+	2
	1391	+	3
	1392	+	4
	1393	+	5
	1394	+	6
	1395	+	7
	1396	+	8
	1397	+	9
	1398	+	10
	1399	+	11
	1400	+	12
	1401	+	13
	1402	+	14
	1403	+	15
	1404	+	16
	1405	+	17
	1406	+	18
	1407	+	19
	1408	+	20
	1409	+	21
	1410	+	22
	1411	+	23
	1412	+	24
	1413	+
	1414	+	penalties that the licensee is subject to under the li cense or
	1415	+	permit of the licensee. Nothing in this act shall be construed to
	1416	+	impose any civil liability for any violation of this act or omission
	1417	+	to act by the licensee or employees of the license e.
	1418	+	D. The provisions of this act sha ll take precedence over any
	1419	+	other state laws applicable to licensees for data security and the
	1420	+	investigation of a cybersecurity event.
	1421	+	SECTION 10. NEW LAW A new section of law to be codified
	1422	+	in the Oklahoma Statutes as Section 679 of Title 36, unless there is
	1423	+	created a duplication in numbering, reads as follows:
	1424	+	Licensees shall have one (1) year from the effective date of
	1425	+	this act to implement Section 4 of this act and two (2) years from
	1426	+	the effective date of this act to implement subsection F of Section
	1427	+	4 of this act.
	1428	+	SECTION 11. This act shall become effective July 1, 2024.
	1429	+	SECTION 12. It being immediately necessary for the preservation
	1430	+	of the public peace, health or safety, an emergency is hereby
	1431	+	declared to exist, by reason w hereof this act shall take effect and
	1432	+	be in full force from and after its passage an d approval."
	1433	+
	1434	+	ENGR. H. A. to ENGR. S. B. NO. 543 Page 29 1
	1435	+	2
	1436	+	3
	1437	+	4
	1438	+	5
	1439	+	6
	1440	+	7
	1441	+	8
	1442	+	9
	1443	+	10
	1444	+	11
	1445	+	12
	1446	+	13
	1447	+	14
	1448	+	15
	1449	+	16
	1450	+	17
	1451	+	18
	1452	+	19
	1453	+	20
	1454	+	21
	1455	+	22
	1456	+	23
	1457	+	24
	1458	+
	1459	+	Passed the House of Representatives the 25th day of April, 2024.
	1460	+
	1461	+
	1462	+
	1463	+
	1464	+
	1465	+	Presiding Officer of the House of
	1466	+	Representatives
	1467	+
	1468	+
	1469	+	Passed the Senate the ____ day of __________, 2024.
	1470	+
	1471	+
	1472	+
	1473	+
	1474	+
	1475	+	Presiding Officer of the Senate
	1476	+
	1477	+
	1478	+	ENGR. S. B. NO. 543 Page 1 1
	1479	+	2
	1480	+	3
	1481	+	4
	1482	+	5
	1483	+	6
	1484	+	7
	1485	+	8
	1486	+	9
	1487	+	10
	1488	+	11
	1489	+	12
	1490	+	13
	1491	+	14
	1492	+	15
	1493	+	16
	1494	+	17
	1495	+	18
	1496	+	19
	1497	+	20
	1498	+	21
	1499	+	22
	1500	+	23
	1501	+	24
	1502	+
	1503	+	ENGROSSED SENATE
	1504	+	BILL NO. 543 By: Montgomery of the Senate
	1505	+
	1506	+	and
	1507	+
	1508	+	Sneed of the House
	1509	+
	1510	+
	1511	+
	1512	+
	1513	+	An Act relating to insurance data security; creating
	1514	+	the Insurance Data Security A ct; providing short
	1515	+	title; establishing act jurisdi ction; construing
	1516	+	provision; defining terms; requiring licensees to
	1517	+	develop data security program with certain
	1518	+	inclusions; establishing intent of security programs
	1519	+	created pursuant to act; directing licensee to
	1520	+	conduct risk assessment; directing licensee t o take
	1521	+	certain action following risk assessment result;
	1522	+	requiring certain su pervising boards to take certain
	1523	+	actions to implement program; requiring licensee to
	1524	+	contract with third-party service provider subject to
	1525	+	certain conditions; requiring licensee to maintain
	1526	+	updates and revisions to program; requiring licensee
	1527	+	develop incident response plan; requiring certain
	1528	+	reports be submitted to the Insurance Commissioner;
	1529	+	requiring insurer to maintain certain records for
	1530	+	specific time period; requiring investiga tion after
	1531	+	certain cybersecurity event; establishing
	1532	+	investigation process; requiring notification of
	1533	+	certain event to the Commissioner; requiring
	1534	+	compliance with certain state laws; providing for
	1535	+	certain exemption; providing for the Commissioner to
	1536	+	investigate certain license es for certain violations;
	1537	+	providing for confidentialit y of certain information
	1538	+	relating to cybersecurity event; allowing
	1539	+	Commissioner to share certain data with national
	1540	+	association; construing provision; providing for rule
	1541	+	promulgation; providing certain exceptions to act;
	1542	+	establishing penalties; amending 51 O.S. 2021,
	1543	+	Section 24A.3, as last amended by Section 1, Chapter
	1544	+	402, O.S.L. 2022 (51 O. S. Supp. 2022, Section 24A.3),
	1545	+	which relates to the Oklahoma Open Records Act;
	1546	+	modifying definition; updating statutory language;
	1547	+	providing for codification; and providing a n
	1548	+	effective date.
	1549	+
	1550	+
	1551	+	ENGR. S. B. NO. 543 Page 2 1
	1552	+	2
	1553	+	3
	1554	+	4
	1555	+	5
	1556	+	6
	1557	+	7
	1558	+	8
	1559	+	9
	1560	+	10
	1561	+	11
	1562	+	12
	1563	+	13
	1564	+	14
	1565	+	15
	1566	+	16
	1567	+	17
	1568	+	18
	1569	+	19
	1570	+	20
	1571	+	21
	1572	+	22
	1573	+	23
	1574	+	24
	1575	+
	1576	+
	1577	+
	1578	+
	1579	+
	1580	+	BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
	1581	+	SECTION 13. NEW LAW A new section of law to be codified
	1582	+	in the Oklahoma Statutes as Section 670 of Title 36, unless there is
	1583	+	created a duplication in numb ering, reads as follows:
	1584	+	This act shall be known and may be cited as the “Insurance Data
	1585	+	Security Act”.
	1586	+	SECTION 14. NEW LAW A new section of law to be codified
	1587	+	in the Oklahoma Statutes as Section 671 of Title 36, unless there is
	1588	+	created a duplication in numb ering, reads as follows:
	1589	+	A. Notwithstanding any other provision o f law, the provisions
	1590	+	of this act shall be the exclusive state law for licensees subject
	1591	+	to the jurisdiction of the Insurance Commissioner for data security,
	1592	+	the investigation of a cybersecurity event, and notification to the
	1593	+	Commissioner.
	1594	+	B. This act shall not be construed to creat e or imply a private
	1595	+	cause of action for violations of its provisions.
	1596	+	SECTION 15. NEW LAW A new section of law to be codified
	1597	+	in the Oklahoma Statutes as Section 672 of Title 36, unless there is
	1598	+	created a duplication in numbering, reads as follows:
	1599	+	As used in this act:
	1600	+	1. “Authorized individual” means an individual known to and
	1601	+	screened by the licensee and determined to be necessary and
	1602	+
	1603	+	ENGR. S. B. NO. 543 Page 3 1
	1604	+	2
	1605	+	3
	1606	+	4
	1607	+	5
	1608	+	6
	1609	+	7
	1610	+	8
	1611	+	9
	1612	+	10
	1613	+	11
	1614	+	12
	1615	+	13
	1616	+	14
	1617	+	15
	1618	+	16
	1619	+	17
	1620	+	18
	1621	+	19
	1622	+	20
	1623	+	21
	1624	+	22
	1625	+	23
	1626	+	24
	1627	+
	1628	+	appropriate to have access to the nonpublic information held by the
	1629	+	licensee and its inform ation systems;
	1630	+	2. “Commissioner” means the Insurance Commissioner;
	1631	+	3. “Consumer” means an individual, including but not limited to
	1632	+	applicants, policyholders, insureds, beneficiaries, claimants, and
	1633	+	certificate holders, who is a resident of this state and whose
	1634	+	nonpublic information is in the possession, custody, or control of a
	1635	+	licensee;
	1636	+	4. “Cybersecurity event” means an event resulting in
	1637	+	unauthorized access to or disruption or misuse of an information
	1638	+	system or nonpublic information stored on the information system.
	1639	+	The term cybersecurity event shall not include the unauthorized
	1640	+	acquisition of encrypted nonpublic information if the encryption,
	1641	+	process, or key is not also acquired, released , or used without
	1642	+	authorization. Cybersecurity event shall not include an event in
	1643	+	which the licensee has determined tha t the nonpublic info rmation
	1644	+	accessed by an unauthorized person has not been used or released and
	1645	+	has been returned or destroyed ;
	1646	+	5. “Department” means the Insurance Department;
	1647	+	6. “Encrypted” means the transformation of data into a form
	1648	+	which results in a low probability of assigning meaning without the
	1649	+	use of a protective process or key;
	1650	+	7. “Information security program ” means the administrative,
	1651	+	technical, and physical safeguards that a licensee u ses to access,
	1652	+
	1653	+	ENGR. S. B. NO. 543 Page 4 1
	1654	+	2
	1655	+	3
	1656	+	4
	1657	+	5
	1658	+	6
	1659	+	7
	1660	+	8
	1661	+	9
	1662	+	10
	1663	+	11
	1664	+	12
	1665	+	13
	1666	+	14
	1667	+	15
	1668	+	16
	1669	+	17
	1670	+	18
	1671	+	19
	1672	+	20
	1673	+	21
	1674	+	22
	1675	+	23
	1676	+	24
	1677	+
	1678	+	collect, distribute, process, protect, st ore, use, transmit, dispose
	1679	+	of, or otherwise handle nonpublic information;
	1680	+	8. “Information system” means a discrete set of electro nic
	1681	+	information resources organized for the collection, processing,
	1682	+	maintenance, use, sharing, dissemination or disposition of nonpublic
	1683	+	information, as well as any specialized system such as industrial or
	1684	+	process controls systems, telephone switching and private branch
	1685	+	exchange systems, and environmental control systems;
	1686	+	9. “Licensee” means any person licensed, authorized to o perate,
	1687	+	or registered, or required to be licensed, authorized to operate, or
	1688	+	registered, pursuant to Title 36 of the Oklahoma Statutes; provided,
	1689	+	however, that it shall not include a purchasing group or a risk
	1690	+	retention group chartered and licensed in a st ate other than this
	1691	+	state or a person that is acting as an assuming insurer that is
	1692	+	domiciled in another state or jurisdiction;
	1693	+	10. “Multi-factor authentication” means authentication through
	1694	+	verification of at least two (2) of the following types of
	1695	+	authentication factors:
	1696	+	a. knowledge factors, such as a password ,
	1697	+	b. possession factors, such as a token or text message on
	1698	+	a mobile phone, or
	1699	+	c. inherence factors, such as a biometric characteristic;
	1700	+	11. “Nonpublic information” means electronic information th at
	1701	+	is not publicly available and is:
	1702	+
	1703	+	ENGR. S. B. NO. 543 Page 5 1
	1704	+	2
	1705	+	3
	1706	+	4
	1707	+	5
	1708	+	6
	1709	+	7
	1710	+	8
	1711	+	9
	1712	+	10
	1713	+	11
	1714	+	12
	1715	+	13
	1716	+	14
	1717	+	15
	1718	+	16
	1719	+	17
	1720	+	18
	1721	+	19
	1722	+	20
	1723	+	21
	1724	+	22
	1725	+	23
	1726	+	24
	1727	+
	1728	+	a. business related information of a licensee, of which
	1729	+	the tampering with or unauthorized disclosure, acce ss,
	1730	+	or use of would cause a material adverse impact to the
	1731	+	business, operations, or security of the licensee,
	1732	+	b. any information concerning a consumer that, because of
	1733	+	name, number, personal mark, or other identifier, can
	1734	+	be used to identify him or her, in co mbination with
	1735	+	any one or more of the following data elements:
	1736	+	(1) social security number,
	1737	+	(2) driver license number or nondriver identification
	1738	+	card number,
	1739	+	(3) financial account number, credit card number, or
	1740	+	debit card number,
	1741	+	(4) any security code, access code , or password that
	1742	+	would permit access to a consumer’s financial
	1743	+	account, or
	1744	+	(5) biometric records, or
	1745	+	c. any information or data, except age or gender, in any
	1746	+	form or medium created by or derived from a health
	1747	+	care provider or a consumer that can be used to
	1748	+	identify a particular consumer and that relates to:
	1749	+	(1) the past, present, or future physical, men tal, or
	1750	+	behavioral health or condition of any consumer or
	1751	+	a member of the family of the consumer,
	1752	+
	1753	+	ENGR. S. B. NO. 543 Page 6 1
	1754	+	2
	1755	+	3
	1756	+	4
	1757	+	5
	1758	+	6
	1759	+	7
	1760	+	8
	1761	+	9
	1762	+	10
	1763	+	11
	1764	+	12
	1765	+	13
	1766	+	14
	1767	+	15
	1768	+	16
	1769	+	17
	1770	+	18
	1771	+	19
	1772	+	20
	1773	+	21
	1774	+	22
	1775	+	23
	1776	+	24
	1777	+
	1778	+	(2) the provision of health care to any consumer , or
	1779	+	(3) payment for the provision of health care to any
	1780	+	consumer;
	1781	+	12. “Person” means any individual or any nongovernmental
	1782	+	entity including but not limited to any nongovernmental
	1783	+	partnership, corporation, branch, agency, or association;
	1784	+	13. “Publicly available information” means any information that
	1785	+	a licensee has reasonable basis to believe is lawfully made
	1786	+	available to the gener al public from federal, state, or local
	1787	+	government records, widely distributed media, or disclosures to the
	1788	+	general public that are required to be made by federal, state, or
	1789	+	local law. For the purposes of this definition, a licensee has a
	1790	+	reasonable basis to believe that information is lawfully made
	1791	+	available to the general public if the licensee has taken steps to
	1792	+	determine:
	1793	+	a. that the information is of the type that is available
	1794	+	to the general public, and
	1795	+	b. whether a consumer can direct that the information not
	1796	+	be made available to the general public and, if so,
	1797	+	that such consumer has not done so; and
	1798	+	14. “Third-party service provider” means a person, not
	1799	+	otherwise defined as a licensee, that contracts with a licensee to
	1800	+	maintain, process, store, or otherwise is permitted access to
	1801	+
	1802	+	ENGR. S. B. NO. 543 Page 7 1
	1803	+	2
	1804	+	3
	1805	+	4
	1806	+	5
	1807	+	6
	1808	+	7
	1809	+	8
	1810	+	9
	1811	+	10
	1812	+	11
	1813	+	12
	1814	+	13
	1815	+	14
	1816	+	15
	1817	+	16
	1818	+	17
	1819	+	18
	1820	+	19
	1821	+	20
	1822	+	21
	1823	+	22
	1824	+	23
	1825	+	24
	1826	+
	1827	+	nonpublic information through its provision of services to the
	1828	+	licensee.
	1829	+	SECTION 16. NEW LAW A new section of law to be codified
	1830	+	in the Oklahoma Statutes as Section 673 of Title 36, unless there is
	1831	+	created a duplication in numbering, reads as follows:
	1832	+	A. Each licensee in this state shall develop, implement, and
	1833	+	maintain a comprehensive written information security program based
	1834	+	on the risk assessment of the licensee provided for in t his act and
	1835	+	that contains administrative, technical, and physical safeguards for
	1836	+	the protection of nonpublic in formation and the information systems
	1837	+	of the licensee. The program shall be commensurate with the size and
	1838	+	complexity of the licensee, the nature and scope of the activities
	1839	+	of the licensee, including its use of third-party service providers,
	1840	+	and the sensitivity of the nonpublic information used by the
	1841	+	licensee or in the possession, custody, or control of the licensee.
	1842	+	B. An information security program of a license e shall be
	1843	+	designed to:
	1844	+	1. Protect the security and confidentialit y of nonpublic
	1845	+	information and the security of the information systems;
	1846	+	2. Protect against any threats or hazards to the security or
	1847	+	integrity of nonpublic information and the information systems;
	1848	+	3. Protect against unauthorized access to or use of nonpu blic
	1849	+	information, and minimize the likelihood o f harm to any consumer;
	1850	+	and
	1851	+
	1852	+	ENGR. S. B. NO. 543 Page 8 1
	1853	+	2
	1854	+	3
	1855	+	4
	1856	+	5
	1857	+	6
	1858	+	7
	1859	+	8
	1860	+	9
	1861	+	10
	1862	+	11
	1863	+	12
	1864	+	13
	1865	+	14
	1866	+	15
	1867	+	16
	1868	+	17
	1869	+	18
	1870	+	19
	1871	+	20
	1872	+	21
	1873	+	22
	1874	+	23
	1875	+	24
	1876	+
	1877	+	4. Define and periodically reevaluate a schedule for retention
	1878	+	of nonpublic information and a mechanism for its destruction when no
	1879	+	longer needed.
	1880	+	C. The licensee shall:
	1881	+	1. Designate one or more employees, an affiliate, or an outside
	1882	+	vendor designated to act on behalf of the licensee who is
	1883	+	responsible for the information security program;
	1884	+	2. Identify reasonably foreseeable internal or external threats
	1885	+	that could result in unauthorized access, transmission, disclosure,
	1886	+	misuse, alteration, or destruction of nonpublic information
	1887	+	including, but not limited to, the security of information systems
	1888	+	and nonpublic information that are accessible to, or held by, third-
	1889	+	party service providers;
	1890	+	3. Assess the likelihood and potential damage of these threats,
	1891	+	taking into consideration the sensitivity of the nonpublic
	1892	+	information;
	1893	+	4. Assess the sufficiency of policies, procedures, information
	1894	+	systems, and other safeguards in place to manage these threats,
	1895	+	including consideration of threats in each relevant area of the
	1896	+	operations of the licensee, including:
	1897	+	a. employee training and management,
	1898	+	b. information systems, including, but not limited to,
	1899	+	network and software design, as well as information
	1900	+
	1901	+	ENGR. S. B. NO. 543 Page 9 1
	1902	+	2
	1903	+	3
	1904	+	4
	1905	+	5
	1906	+	6
	1907	+	7
	1908	+	8
	1909	+	9
	1910	+	10
	1911	+	11
	1912	+	12
	1913	+	13
	1914	+	14
	1915	+	15
	1916	+	16
	1917	+	17
	1918	+	18
	1919	+	19
	1920	+	20
	1921	+	21
	1922	+	22
	1923	+	23
	1924	+	24
	1925	+
	1926	+	classification, governance, processing, storage,
	1927	+	transmission, and disposal, and
	1928	+	c. detecting, preventing, and responding to attacks,
	1929	+	intrusions, or other systems failures; and
	1930	+	5. Implement information safeguards to manage the threats
	1931	+	identified in its ongoing assessment, and no less than annuall y,
	1932	+	assess the effectiveness of the key cont rols, systems, and
	1933	+	procedures of the safeguards.
	1934	+	D. Based on the results of the risk assessment, the licensee
	1935	+	shall:
	1936	+	1. Design its information security program to mitigate the
	1937	+	identified risks, commensurate with the size and complexity of the
	1938	+	licensee, the nature and scope of the a ctivities of the licensee
	1939	+	including its use of third-party service providers, and the
	1940	+	sensitivity of the nonpublic information used by the licensee or in
	1941	+	the possession, custody, or control of the licensee;
	1942	+	2. Determine and implement security measures deemed
	1943	+	appropriate, including:
	1944	+	a. place access controls on information systems
	1945	+	including controls to authenticate and permit access
	1946	+	only to authorized individuals to protect against the
	1947	+	unauthorized acquisition of nonpublic information,
	1948	+	b. identify and manage the data, personnel, devices,
	1949	+	systems, and facilities that enable the organization
	1950	+
	1951	+	ENGR. S. B. NO. 543 Page 10 1
	1952	+	2
	1953	+	3
	1954	+	4
	1955	+	5
	1956	+	6
	1957	+	7
	1958	+	8
	1959	+	9
	1960	+	10
	1961	+	11
	1962	+	12
	1963	+	13
	1964	+	14
	1965	+	15
	1966	+	16
	1967	+	17
	1968	+	18
	1969	+	19
	1970	+	20
	1971	+	21
	1972	+	22
	1973	+	23
	1974	+	24
	1975	+
	1976	+	to achieve business purposes in acco rdance with their
	1977	+	relative importance to business objectives and the
	1978	+	risk strategy of the organization,
	1979	+	c. restrict physical access to nonpublic information to
	1980	+	authorized individuals only,
	1981	+	d. protect by encryption or other appropriate means, all
	1982	+	nonpublic information while being transmitted over an
	1983	+	external network and all nonpublic information stored
	1984	+	on a laptop computer or other portable computing or
	1985	+	storage device or media,
	1986	+	e. adopt secure development practices for in-house
	1987	+	developed applications utilized by the licensee,
	1988	+	f. modify the information system in accordance with the
	1989	+	information security program of the licensee,
	1990	+	g. utilize effective controls, which may include multi-
	1991	+	factor authentication procedures for any authorized
	1992	+	individual accessing nonpublic information,
	1993	+	h. regularly test and monitor systems and procedures to
	1994	+	detect actual and attempted attacks on, or intrusions
	1995	+	into, information systems,
	1996	+	i. include audit trails within the information security
	1997	+	program designed to detect and respond to
	1998	+	cybersecurity events and designed to reconstruct
	1999	+
	2000	+	ENGR. S. B. NO. 543 Page 11 1
	2001	+	2
	2002	+	3
	2003	+	4
	2004	+	5
	2005	+	6
	2006	+	7
	2007	+	8
	2008	+	9
	2009	+	10
	2010	+	11
	2011	+	12
	2012	+	13
	2013	+	14
	2014	+	15
	2015	+	16
	2016	+	17
	2017	+	18
	2018	+	19
	2019	+	20
	2020	+	21
	2021	+	22
	2022	+	23
	2023	+	24
	2024	+
	2025	+	material financial transactions sufficient to support
	2026	+	normal operations and obligations of the licensee,
	2027	+	j. implement measures to protect against destruction,
	2028	+	loss, or damage of nonpublic information due to
	2029	+	environmental hazards such as fire and water damage or
	2030	+	other catastrophic events or technological failures,
	2031	+	and
	2032	+	k. develop, implement, and maintain procedures for the
	2033	+	secure disposal of nonpublic information in any format;
	2034	+	3. Include cybersecurity risks in the enterprise risk management
	2035	+	process of the licensee;
	2036	+	4. Stay informed regarding emerging threats or vulnerabilities
	2037	+	and utilize reasonable security measures when sharing information
	2038	+	relative to the character of the sharing and the type of information
	2039	+	shared; and
	2040	+	5. Provide its personnel with cybersecurity awareness training
	2041	+	that is updated as necessary to reflect risks identified by the
	2042	+	licensee in the risk assessment.
	2043	+	E. If the licensee has a board of directors, the board or an
	2044	+	appropriate committee of the board , at a minimum, within one year of
	2045	+	the effective date of thi s act, shall:
	2046	+	1. Require the executive management of the licensee or its
	2047	+	delegates to develop, implement, and maintain the information
	2048	+	security program of the licensee;
	2049	+
	2050	+	ENGR. S. B. NO. 543 Page 12 1
	2051	+	2
	2052	+	3
	2053	+	4
	2054	+	5
	2055	+	6
	2056	+	7
	2057	+	8
	2058	+	9
	2059	+	10
	2060	+	11
	2061	+	12
	2062	+	13
	2063	+	14
	2064	+	15
	2065	+	16
	2066	+	17
	2067	+	18
	2068	+	19
	2069	+	20
	2070	+	21
	2071	+	22
	2072	+	23
	2073	+	24
	2074	+
	2075	+	2. Require the executive management of the licensee or its
	2076	+	delegates to report to the Insurance Commissioner in writing, at
	2077	+	least annually, the following information:
	2078	+	a. the overall status of the information security program
	2079	+	and the compliance of the licensee with this act, and
	2080	+	b. material matters related to the information security
	2081	+	program, addressing issues such as risk asses sment,
	2082	+	risk management and control decisions, third-party
	2083	+	service provider arrangements, results of testing,
	2084	+	cybersecurity events or violations and responses of
	2085	+	the management to those events or violations, and
	2086	+	recommendations for changes in the informatio n
	2087	+	security program; and
	2088	+	3. If executive management delegates any of its
	2089	+	responsibilities, it shall oversee the development, implementation ,
	2090	+	and maintenance of the information security program of the licensee
	2091	+	prepared by the delegate or delegates and shall receive a report
	2092	+	from the delegate or delegates complying with the requirements of
	2093	+	the report to the board.
	2094	+	F. A licensee shall exercise due diligence in selecting its
	2095	+	third-party service provider and shall require t he provider to
	2096	+	implement appropriate a dministrative, technical, and physical
	2097	+	measures to protect and secure the information systems and nonpublic
	2098	+
	2099	+	ENGR. S. B. NO. 543 Page 13 1
	2100	+	2
	2101	+	3
	2102	+	4
	2103	+	5
	2104	+	6
	2105	+	7
	2106	+	8
	2107	+	9
	2108	+	10
	2109	+	11
	2110	+	12
	2111	+	13
	2112	+	14
	2113	+	15
	2114	+	16
	2115	+	17
	2116	+	18
	2117	+	19
	2118	+	20
	2119	+	21
	2120	+	22
	2121	+	23
	2122	+	24
	2123	+
	2124	+	information that are accessible to, or held by, the third-party
	2125	+	service provider.
	2126	+	G. The licensee shall monito r, evaluate, and adjust, as
	2127	+	appropriate, the information security program consistent with any
	2128	+	relevant changes in technology, the sensitivity of its nonpublic
	2129	+	information, internal o r external threats to information and the
	2130	+	changing business arrangements o f the licensee, such as mergers and
	2131	+	acquisitions, alliances and joint ventures, outsourcing
	2132	+	arrangements, and changes to information systems.
	2133	+	H. As part of its information s ecurity program, each licensee
	2134	+	shall establish a written incident response plan de signed to
	2135	+	promptly respond to, and re cover from, any cybersecurity event that
	2136	+	compromises the confidentiality, integrity, or availability of
	2137	+	nonpublic information in its possession, the information systems of
	2138	+	the licensee, or the continuing functionality of any aspect of the
	2139	+	business or operations of the licensee.
	2140	+	The incident response plan shall address the following areas:
	2141	+	1. The internal process for responding to a cybersecurity
	2142	+	event;
	2143	+	2. The goals of the incident response plan;
	2144	+	3. The definition of cl ear roles, responsibilities , and levels
	2145	+	of decision-making authority;
	2146	+	4. External and internal communications and information
	2147	+	sharing;
	2148	+
	2149	+	ENGR. S. B. NO. 543 Page 14 1
	2150	+	2
	2151	+	3
	2152	+	4
	2153	+	5
	2154	+	6
	2155	+	7
	2156	+	8
	2157	+	9
	2158	+	10
	2159	+	11
	2160	+	12
	2161	+	13
	2162	+	14
	2163	+	15
	2164	+	16
	2165	+	17
	2166	+	18
	2167	+	19
	2168	+	20
	2169	+	21
	2170	+	22
	2171	+	23
	2172	+	24
	2173	+
	2174	+	5. Identification of requirements for the remediation of any
	2175	+	identified weaknesses in information systems and associated
	2176	+	controls;
	2177	+	6. Documentation and re porting regarding cybersecurity events
	2178	+	and related incident response activities; and
	2179	+	7. The evaluation and revision as necessary of the incident
	2180	+	response plan following a cybersecurity event.
	2181	+	I. Annually, each insurer domiciled in this state shall submit
	2182	+	to the Commissioner a written statement by March 1, certifying that
	2183	+	the insurer complies with the requirements set forth in this section.
	2184	+	Each insurer shall maintain, for examination by the Insurance
	2185	+	Department, all records, schedules, and data supporting this
	2186	+	certificate for a period of five (5) years. To the extent an
	2187	+	insurer has identified areas, systems, or processes that require
	2188	+	material improvement, updating, or redesign, the insurer shall
	2189	+	document the identification and the remedial efforts planned and
	2190	+	underway to address such areas, systems, or processes. The
	2191	+	documentation shall be available for inspection by the Commissioner
	2192	+	upon request.
	2193	+	SECTION 17. NEW LAW A new section of law to be codified
	2194	+	in the Oklahoma Statutes as S ection 674 of Title 36, unless there is
	2195	+	created a duplication in numbering, reads as follows:
	2196	+	A. If the licensee learns that a cybersecurity event has or
	2197	+	may have occurred, the licensee, or an outside vendor or service
	2198	+
	2199	+	ENGR. S. B. NO. 543 Page 15 1
	2200	+	2
	2201	+	3
	2202	+	4
	2203	+	5
	2204	+	6
	2205	+	7
	2206	+	8
	2207	+	9
	2208	+	10
	2209	+	11
	2210	+	12
	2211	+	13
	2212	+	14
	2213	+	15
	2214	+	16
	2215	+	17
	2216	+	18
	2217	+	19
	2218	+	20
	2219	+	21
	2220	+	22
	2221	+	23
	2222	+	24
	2223	+
	2224	+	provider designated to act on behalf of the licensee, shall conduct
	2225	+	a prompt investigation.
	2226	+	B. During the investigation, the licensee, or an outside vendor
	2227	+	or service provider des ignated to act on behalf of the licensee,
	2228	+	shall, at a minimum:
	2229	+	1. Determine whether a cybersecurity event has o ccurred;
	2230	+	2. Assess the nature and scope of the cybersecurity event;
	2231	+	3. Identify any nonpublic information that may have been
	2232	+	involved in the cybersecurity event; and
	2233	+	4. Perform or oversee r easonable measures to restore the
	2234	+	security of the information sy stems compromised in the cybersecurity
	2235	+	event in order to prevent further unauthorized acquisition, release,
	2236	+	or use of nonpublic information in th e possession, custody, or
	2237	+	control of the licensee .
	2238	+	C. If the licensee learns that a cybersecurity event has or may
	2239	+	have occurred in a syst em maintained by a third-party service
	2240	+	provider, the licensee shall complete the steps listed in subsection
	2241	+	B of this section or confirm and document that the third -party
	2242	+	service provider has completed those steps.
	2243	+	D. The licensee shall maintain records concerning all
	2244	+	cybersecurity events for a period of at least five (5) years from
	2245	+	the date of the cybersecurity event and shall produce those records
	2246	+	upon request by the Insurance Commissioner.
	2247	+
	2248	+	ENGR. S. B. NO. 543 Page 16 1
	2249	+	2
	2250	+	3
	2251	+	4
	2252	+	5
	2253	+	6
	2254	+	7
	2255	+	8
	2256	+	9
	2257	+	10
	2258	+	11
	2259	+	12
	2260	+	13
	2261	+	14
	2262	+	15
	2263	+	16
	2264	+	17
	2265	+	18
	2266	+	19
	2267	+	20
	2268	+	21
	2269	+	22
	2270	+	23
	2271	+	24
	2272	+
	2273	+	SECTION 18. NEW LAW A new section of law to be codified
	2274	+	in the Oklahoma Statutes as Section 675 of Title 36, unless there is
	2275	+	created a duplication in numb ering, reads as follows:
	2276	+	A. Every licensee shall notify the Insurance Commissioner
	2277	+	without unreasonable delay, but not later than three busine ss days,
	2278	+	from a determination that a cybersecurity event involving nonpublic
	2279	+	information that is in the possession of a licensee has occurred
	2280	+	when either of the following criteria has been met:
	2281	+	1. This state is the state of dom icile of the licensee, in the
	2282	+	case of an insurer, or this state is the home state of the licensee,
	2283	+	in the case of a producer, as those terms are defined in the
	2284	+	Oklahoma Producer Licensing Act, Sections 1435.1 thro ugh 1435.41 of
	2285	+	Title 36 of the Oklahoma Sta tutes, and the cybersecurity event has a
	2286	+	reasonable likelihood of materially harming any material part of the
	2287	+	normal operations of the licensee or any consumer residing in this
	2288	+	state; or
	2289	+	2. The licensee reasonably believes that the nonpublic
	2290	+	information involved is of two hundred fi fty (250) or more consumers
	2291	+	residing in this state and is either of the following:
	2292	+	a. a cybersecurity event impacting the licensee of which
	2293	+	notice is required to be provided to any government
	2294	+	body, self-regulatory agency, or any other supervisory
	2295	+	body pursuant to any state or federal law, or
	2296	+
	2297	+	ENGR. S. B. NO. 543 Page 17 1
	2298	+	2
	2299	+	3
	2300	+	4
	2301	+	5
	2302	+	6
	2303	+	7
	2304	+	8
	2305	+	9
	2306	+	10
	2307	+	11
	2308	+	12
	2309	+	13
	2310	+	14
	2311	+	15
	2312	+	16
	2313	+	17
	2314	+	18
	2315	+	19
	2316	+	20
	2317	+	21
	2318	+	22
	2319	+	23
	2320	+	24
	2321	+
	2322	+	b. a cybersecurity event that has a reasonable likelihood
	2323	+	of materially harming:
	2324	+	(1) any consumer residing in this state , or
	2325	+	(2) any material part of the normal operation or
	2326	+	operations of the licensee.
	2327	+	B. The licensee making the notification required in subsection
	2328	+	A of this section shall provide as much of the following information
	2329	+	as possible, electronically in the manner and form prescribed by the
	2330	+	Commissioner, along with any applicable fee s. The licensee shall
	2331	+	have a continuing obligation to update and supplement initial and
	2332	+	subsequent notifications to the Commissioner regarding material
	2333	+	changes to previously provided information relating to the
	2334	+	cybersecurity event. The licensee shall provide:
	2335	+	1. Date of the cybersecurity event;
	2336	+	2. Description of how the information was exposed, lost,
	2337	+	stolen, or breached including, but not limited to, the specific
	2338	+	roles and responsibilities of third-party service providers, if any;
	2339	+	3. How the cybersecurity event was discovered;
	2340	+	4. Whether any lost, stolen, or breached information has been
	2341	+	recovered and, if so, how this was done;
	2342	+	5. The identity of the source of the cybersecurity event;
	2343	+	6. Whether the licensee has filed a police report or has
	2344	+	notified any regulatory, government , or law enforcement agencies
	2345	+	and, if so, when such notification was provided;
	2346	+
	2347	+	ENGR. S. B. NO. 543 Page 18 1
	2348	+	2
	2349	+	3
	2350	+	4
	2351	+	5
	2352	+	6
	2353	+	7
	2354	+	8
	2355	+	9
	2356	+	10
	2357	+	11
	2358	+	12
	2359	+	13
	2360	+	14
	2361	+	15
	2362	+	16
	2363	+	17
	2364	+	18
	2365	+	19
	2366	+	20
	2367	+	21
	2368	+	22
	2369	+	23
	2370	+	24
	2371	+
	2372	+	7. Description of the specific ty pes of information acquired
	2373	+	without authorization. The term “specific types of information”
	2374	+	means particular data elements including, but not li mited to, types
	2375	+	of medical information, financial information, or information
	2376	+	allowing identification of the con sumer;
	2377	+	8. The period during which the information system was
	2378	+	compromised by the cybersecurity event;
	2379	+	9. The number of total consumers in this state affected by the
	2380	+	cybersecurity event. The licensee shall provide the best estimate
	2381	+	in the initial report t o the Commissioner and update this estimate
	2382	+	with each subsequent report to the Commissioner pursuant to this
	2383	+	section;
	2384	+	10. The results of any in ternal review identifying a lapse in
	2385	+	either automated controls or internal procedures, or confirming that
	2386	+	all automated controls or internal procedures were followed;
	2387	+	11. Description of efforts being undertaken to remediate the
	2388	+	situation which permitted t he cybersecurity event to occur;
	2389	+	12. A copy of the privacy policy of the licensee and a
	2390	+	statement outlining the steps the licensee will take to investigate
	2391	+	and notify consumers affected by the cybersecurity event; and
	2392	+	13. Name of a contact person who is both familiar with the
	2393	+	cybersecurity event and authorized to act for the licensee.
	2394	+	C. A licensee shall comply w ith the procedures of the Security
	2395	+	Breach Notification Act, Section 161 et seq. of Title 24 of the
	2396	+
	2397	+	ENGR. S. B. NO. 543 Page 19 1
	2398	+	2
	2399	+	3
	2400	+	4
	2401	+	5
	2402	+	6
	2403	+	7
	2404	+	8
	2405	+	9
	2406	+	10
	2407	+	11
	2408	+	12
	2409	+	13
	2410	+	14
	2411	+	15
	2412	+	16
	2413	+	17
	2414	+	18
	2415	+	19
	2416	+	20
	2417	+	21
	2418	+	22
	2419	+	23
	2420	+	24
	2421	+
	2422	+	Oklahoma Statutes, to notify affected consume rs and provide a copy
	2423	+	of the notice sent to consumers under that statute to the
	2424	+	Commissioner, when a licensee is required to notify the Commissioner
	2425	+	under subsection A of this section.
	2426	+	D. 1. In the case of a cybersecurity even t in a system
	2427	+	maintained by a third-party service provider, of which the licensee
	2428	+	has become aware, the licensee shall treat the event as it would
	2429	+	under subsection A of this section unless the third -party service
	2430	+	provider provides the notice required under subsection A of this
	2431	+	section to the Commissioner and the licensee.
	2432	+	2. The computation of deadlines of the licensee shall begin on
	2433	+	the day after the third-party service provider notifies the licensee
	2434	+	of the cybersecurity event or the licensee otherwise ha s actual
	2435	+	knowledge of the cybersecurity event, whichever is sooner.
	2436	+	3. Nothing in this act shall prevent or abrogate an agreement
	2437	+	between a licensee and another licensee, a third -party service
	2438	+	provider, or any other party to fulfill any of the investigation
	2439	+	requirements impose or notice requirements imposed under this act.
	2440	+	E. 1. In the case of a cybersecurity event involving nonpublic
	2441	+	information that is used by the licensee that is acting as an
	2442	+	assuming insurer, or in the possession, custody , or control of a
	2443	+	licensee, that is acti ng as an assuming insurer and that does not
	2444	+	have a direct contractual relationship with the affected consumers,
	2445	+	the assuming insurer shall notify its affected ceding insurers and
	2446	+
	2447	+	ENGR. S. B. NO. 543 Page 20 1
	2448	+	2
	2449	+	3
	2450	+	4
	2451	+	5
	2452	+	6
	2453	+	7
	2454	+	8
	2455	+	9
	2456	+	10
	2457	+	11
	2458	+	12
	2459	+	13
	2460	+	14
	2461	+	15
	2462	+	16
	2463	+	17
	2464	+	18
	2465	+	19
	2466	+	20
	2467	+	21
	2468	+	22
	2469	+	23
	2470	+	24
	2471	+
	2472	+	the Commissioner of its state of domicile within three (3) business
	2473	+	days of making the determination that a cybersecurity event has
	2474	+	occurred. The ceding insurers that have a direct contractual
	2475	+	relationship with affected consumers shall fulfill the consumer
	2476	+	notification requirements imposed under the Sec urity Breach
	2477	+	Notification Act, Section 161 et seq. of Title 24 of the Oklahoma
	2478	+	Statutes, and any other notification requirements relating to a
	2479	+	cybersecurity event imposed under this section.
	2480	+	2. In the case of a cybersecurity event involving nonpublic
	2481	+	information that is in the posse ssion, custody, or control of a
	2482	+	third-party service provider of a licensee that is an assuming
	2483	+	insurer, the assuming i nsurer shall notify its affected ceding
	2484	+	insurers and the Commissioner of its state of domicile within three
	2485	+	(3) business days of receiving notice from its third-party service
	2486	+	provider that a cybersecurity event has occurred. The ceding
	2487	+	insurers that have a direct contractual relationship with affected
	2488	+	consumers shall fulfill the consumer notification requirements
	2489	+	imposed under Security Brea ch Notification Act, Section 161 et seq.
	2490	+	of Title 24 of the Oklahoma Statutes, and any other notification
	2491	+	requirements relating to a cybersecurity event imposed under this
	2492	+	section.
	2493	+	F. In the case of a cybersecurity event involv ing nonpublic
	2494	+	information that is in the possession, custody, or control of a
	2495	+	licensee that is an insurer or its third-party service provider for
	2496	+
	2497	+	ENGR. S. B. NO. 543 Page 21 1
	2498	+	2
	2499	+	3
	2500	+	4
	2501	+	5
	2502	+	6
	2503	+	7
	2504	+	8
	2505	+	9
	2506	+	10
	2507	+	11
	2508	+	12
	2509	+	13
	2510	+	14
	2511	+	15
	2512	+	16
	2513	+	17
	2514	+	18
	2515	+	19
	2516	+	20
	2517	+	21
	2518	+	22
	2519	+	23
	2520	+	24
	2521	+
	2522	+	which a consumer accessed the services of the insurer through an
	2523	+	independent insurance producer, and for which consumer notice is
	2524	+	required by this act or the Security Breach Notification Act,
	2525	+	Section 161 et seq. of Title 24 of the Oklahoma Statutes, the
	2526	+	insurer shall notify the producers of record of all affected
	2527	+	consumers of the cybersecurity event no later than the time at which
	2528	+	notice is provided to the affected consumers. The insurer is
	2529	+	excused from this obligation for any producers who are not
	2530	+	authorized by law or contract to sell, solicit , or negotiate on
	2531	+	behalf of the insurer, and in those instances in whic h the insurer
	2532	+	does not have the current producer of record information for an
	2533	+	individual consumer. Any licensee acting as an assuming insurer
	2534	+	shall have no other notice obligations relating to a cybersecurity
	2535	+	event or other data breach under this section or any other law of
	2536	+	this state.
	2537	+	SECTION 19. NEW LAW A new section of law to be codified
	2538	+	in the Oklahoma Statutes as Section 676 of Title 36, unless there is
	2539	+	created a duplication in numb ering, reads as follows:
	2540	+	A. The Insurance Commissioner shall have power to examine and
	2541	+	investigate the affairs of any licensee to determine whether the
	2542	+	licensee has been or is engaged in any conduct in violation of the
	2543	+	provisions of this act or any rules promulgated thereto . This power
	2544	+	is in addition to the powers which the Commissioner has under
	2545	+	applicable provisions of the Insurance Code including, but not
	2546	+
	2547	+	ENGR. S. B. NO. 543 Page 22 1
	2548	+	2
	2549	+	3
	2550	+	4
	2551	+	5
	2552	+	6
	2553	+	7
	2554	+	8
	2555	+	9
	2556	+	10
	2557	+	11
	2558	+	12
	2559	+	13
	2560	+	14
	2561	+	15
	2562	+	16
	2563	+	17
	2564	+	18
	2565	+	19
	2566	+	20
	2567	+	21
	2568	+	22
	2569	+	23
	2570	+	24
	2571	+
	2572	+	limited to, Sections 309.1 through 309.6, 332, and 1250.4 of Title
	2573	+	36 of the Oklahoma Statutes .
	2574	+	B. Whenever the Commissioner has reason to belie ve that a
	2575	+	licensee has been or is engaged in conduct in this state that
	2576	+	violates any provision of this act, the Commissioner may take action
	2577	+	that is necessary or appropriate to enforce the provisi ons.
	2578	+	SECTION 20. NEW LAW A new sectio n of law to be codifi ed
	2579	+	in the Oklahoma Statutes as Section 677 of Title 36, unless there is
	2580	+	created a duplication in numbering, reads as follows:
	2581	+	A. Any documents, materials , or other information in the
	2582	+	control or possession of the Insurance Department that are furnished
	2583	+	by a licensee or an employee or agent thereof acting on behalf of a
	2584	+	licensee pursuant to the provisions of Section 4 and Section 6 of
	2585	+	this act or that are obtained by the Insuran ce Commissioner in an
	2586	+	investigation or examinati on pursuant to Section 7 of this act shall
	2587	+	be confidential by law and privileged, shall not be subject to the
	2588	+	Oklahoma Open Records Act, shall not be subject to subpoena, and
	2589	+	shall not be subject to discover y or admissible in evidence in any
	2590	+	private civil action. However, the Commissioner is au thorized to
	2591	+	use the documents, materials, or other information in the
	2592	+	furtherance of any regulatory or legal action brought as a part of
	2593	+	the Commissioner’s duties. The Commissioner shall no t otherwise
	2594	+	make the documents, materials, or other information pu blic without
	2595	+	the prior written consent of the licensee.
	2596	+
	2597	+	ENGR. S. B. NO. 543 Page 23 1
	2598	+	2
	2599	+	3
	2600	+	4
	2601	+	5
	2602	+	6
	2603	+	7
	2604	+	8
	2605	+	9
	2606	+	10
	2607	+	11
	2608	+	12
	2609	+	13
	2610	+	14
	2611	+	15
	2612	+	16
	2613	+	17
	2614	+	18
	2615	+	19
	2616	+	20
	2617	+	21
	2618	+	22
	2619	+	23
	2620	+	24
	2621	+
	2622	+	B. Neither the Commissioner nor any person who received
	2623	+	documents, materials , or other information while acting under the
	2624	+	authority of the Commissioner shall b e permitted or required to
	2625	+	testify in any private civil action concerning any confidential
	2626	+	documents, materials, or information subject to subsection A of this
	2627	+	section.
	2628	+	C. In order to assist in the perf ormance of the duties of the
	2629	+	Commissioner under this act, the Commissioner:
	2630	+	1. May share documents, materials, or other information
	2631	+	including the confidential and privileged documents, materials, or
	2632	+	information subject to subsection A of this section, with other
	2633	+	state, federal, and international regulatory age ncies, with the
	2634	+	National Association of Insurance Commissioners and its affiliates
	2635	+	or subsidiaries and with state, federal, and international law
	2636	+	enforcement authorities; provided, that the recipient agrees in
	2637	+	writing to maintain the confidentiality and pri vileged status of the
	2638	+	document, material, or other information;
	2639	+	2. May receive documents, materials, or information including
	2640	+	otherwise confidential and privileged documents, materials , or
	2641	+	information, from the National Association of Insurance
	2642	+	Commissioners, its affiliates or subsidiaries , and from regulatory
	2643	+	and law enforcement officials of other foreign or domestic
	2644	+	jurisdictions, and shall maintain as confidential or privileged any
	2645	+	document, material, or information received with notice or the
	2646	+
	2647	+	ENGR. S. B. NO. 543 Page 24 1
	2648	+	2
	2649	+	3
	2650	+	4
	2651	+	5
	2652	+	6
	2653	+	7
	2654	+	8
	2655	+	9
	2656	+	10
	2657	+	11
	2658	+	12
	2659	+	13
	2660	+	14
	2661	+	15
	2662	+	16
	2663	+	17
	2664	+	18
	2665	+	19
	2666	+	20
	2667	+	21
	2668	+	22
	2669	+	23
	2670	+	24
	2671	+
	2672	+	understanding that it is confidential or priv ileged under the laws
	2673	+	of the jurisdiction that is the source of the document, material, or
	2674	+	information;
	2675	+	3. May share documents, materials, or other information subject
	2676	+	to subsection A of this section, with a third-party consultant or
	2677	+	vendor; provided, the consultant agrees in writing to maintain the
	2678	+	confidentiality and privileged status of the document, material, or
	2679	+	other information; and
	2680	+	4. May enter into agreements governing sharing and use of
	2681	+	information consistent with this subsection.
	2682	+	D. No waiver of any applicable privilege or claim of
	2683	+	confidentiality in the documents, materials, or information shall
	2684	+	occur as a result of disclosure to the Insurance Commissioner under
	2685	+	this section or as a result of sharing as authorized in subsection C
	2686	+	of this section.
	2687	+	E. Nothing in this act shall prohibit the Commissioner from
	2688	+	releasing final, adjudicated actions that are open to public
	2689	+	inspection pursuant to the Oklahoma Open Records Act, to a database
	2690	+	or other clearinghouse service maintained by the National
	2691	+	Association of Insurance Commissioners, its affiliates, or
	2692	+	subsidiaries.
	2693	+	F. Documents, materials, or other information in the possession
	2694	+	or control of the National Association of Insur ance Commissioners or
	2695	+	a third-party consultant or vendor pursuant to this ac t shall not be
	2696	+
	2697	+	ENGR. S. B. NO. 543 Page 25 1
	2698	+	2
	2699	+	3
	2700	+	4
	2701	+	5
	2702	+	6
	2703	+	7
	2704	+	8
	2705	+	9
	2706	+	10
	2707	+	11
	2708	+	12
	2709	+	13
	2710	+	14
	2711	+	15
	2712	+	16
	2713	+	17
	2714	+	18
	2715	+	19
	2716	+	20
	2717	+	21
	2718	+	22
	2719	+	23
	2720	+	24
	2721	+
	2722	+	construed to be public information, shall not be subject to the
	2723	+	Oklahoma Open Records Act, shall not be subject to subpoena, and
	2724	+	shall not be subject to discovery or adm issible as evidence in any
	2725	+	private civil action.
	2726	+	SECTION 21. NEW LAW A new section of law to be codified
	2727	+	in the Oklahoma Statutes as Section 678 of Title 36, unless there is
	2728	+	created a duplication in numbering, reads as follows:
	2729	+	A. The Insurance Commissioner may promulgate any rules
	2730	+	necessary to carry ou t the provisions of this section.
	2731	+	B. 1. The following exceptions shall apply to this act:
	2732	+	a. a licensee with less than Five Million Dollars
	2733	+	($5,000,000.00) in gross annual revenue, is exempt
	2734	+	from this act,
	2735	+	b. a licensee subject to the Health Insurance Po rtability
	2736	+	and Accountability Act, Pub. L. 104–191, 110 Stat.
	2737	+	1936, as amended, that has established and maintains
	2738	+	an information security program pursuant to such
	2739	+	statutes, rules, regulations, procedures , or
	2740	+	guidelines established thereunder, will be considered
	2741	+	to meet the requirements of Section 4 of this act,
	2742	+	provided that the licensee is compliant with and
	2743	+	submits a written statement to the Commission er
	2744	+	certifying its compliance with the same, and
	2745	+
	2746	+	ENGR. S. B. NO. 543 Page 26 1
	2747	+	2
	2748	+	3
	2749	+	4
	2750	+	5
	2751	+	6
	2752	+	7
	2753	+	8
	2754	+	9
	2755	+	10
	2756	+	11
	2757	+	12
	2758	+	13
	2759	+	14
	2760	+	15
	2761	+	16
	2762	+	17
	2763	+	18
	2764	+	19
	2765	+	20
	2766	+	21
	2767	+	22
	2768	+	23
	2769	+	24
	2770	+
	2771	+	c. an employee, agent, repre sentative, or designee of a
	2772	+	licensee, who is also a licensee, is exempt from this
	2773	+	act and shall not be required to develop their own
	2774	+	information security program to the extent that the
	2775	+	employee, agent, representative , or designee is
	2776	+	covered by the information security program of the
	2777	+	licensee.
	2778	+	2. If a licensee ceases to qualify for an exception, the
	2779	+	licensee shall have one hundred eighty (180) days to comply with the
	2780	+	provisions of this act.
825	2781		C. In the case of a violation of this act, a licensee may be
826	2782		penalized in accordance with any a pplicable sections of the
827	2783		Insurance Code, including, but not limited to, Section 908 of Title
828	2784		36 of the Oklahoma Statutes, or any other provisi on providing for
829	2785		penalties that the licensee is subject to under the license or
830	2786		permit of the licensee. Nothing in this act shall be construed to
831		-
832		-	ENR. S. B. NO. 543 Page 20
833	2787		impose any civil liability for any violation of this act or omission
834	2788		to act by the licensee or employees of the license e.
835		-
836	2789		D. The provisions of this act shall take precedence over any
837	2790		other state laws applicable to license es for data security and the
838	2791		investigation of a cybersecurity event.
839		-
840		-	SECTION 10. NEW LAW A new section of law to be codified
	2792	+	SECTION 22. NEW LAW A new section of law to be codified
841	2793		in the Oklahoma Statutes as Section 679 of Title 36, unless there is
842	2794		created a duplication in numbering, reads as follows:
	2795	+
	2796	+	ENGR. S. B. NO. 543 Page 27 1
	2797	+	2
	2798	+	3
	2799	+	4
	2800	+	5
	2801	+	6
	2802	+	7
	2803	+	8
	2804	+	9
	2805	+	10
	2806	+	11
	2807	+	12
	2808	+	13
	2809	+	14
	2810	+	15
	2811	+	16
	2812	+	17
	2813	+	18
	2814	+	19
	2815	+	20
	2816	+	21
	2817	+	22
	2818	+	23
	2819	+	24
843	2820
844	2821		Licensees shall have one (1) year from the effective date of
845	2822		this act to implement Section 4 of this act and two (2) years from
846	2823		the effective date of this act to implement subsection F of Section
847	2824		4 of this act.
848		-
849		-	SECTION 11. This act shall become effective July 1, 2024.
850		-
851		-	SECTION 12. It being immediately necessary for the preservatio n
852		-	of the public peace, health or safety, an emergency is hereby
853		-	declared to exist, by reason whereof this act shall take effect and
854		-	be in full force from and after its passage and approval.
855		-
856		-
857		-	ENR. S. B. NO. 543 Page 21
858		-	Passed the Senate the 21st day of May, 2024.
	2825	+	SECTION 23. AMENDATORY 51 O.S. 2021, Section 24A.3, as
	2826	+	last amended by Section 1, Chapter 402, O.S.L. 2022 (51 O.S. Supp.
	2827	+	2022, Section 24A.3), is amended to read as follows:
	2828	+	Section 24A.3. As used in the Oklahoma Open Records Act:
	2829	+	1. “Record” means all documents including, but not limited to,
	2830	+	any book, paper, photograph, microfilm, data files created by or
	2831	+	used with computer software, computer tape, disk, record, sound
	2832	+	recording, film recording, video record or other material regardless
	2833	+	of physical form or characteristic, created by, received by, under
	2834	+	the authority of, or coming into the custody, control or possession
	2835	+	of public officials, public bodies or their representatives in
	2836	+	connection with the transaction of public bus iness, the expenditure
	2837	+	of public funds or the administering of public property. “Record”
	2838	+	Record does not mean:
	2839	+	a. computer software,
	2840	+	b. nongovernment personal effects,
	2841	+	c. unless public disclosure is required by other laws or
	2842	+	regulations, vehicle movement records of the Oklahoma
	2843	+	Transportation Authority obtained in connection with
	2844	+	the Authority’s electronic toll collection system,
	2845	+
	2846	+	ENGR. S. B. NO. 543 Page 28 1
	2847	+	2
	2848	+	3
	2849	+	4
	2850	+	5
	2851	+	6
	2852	+	7
	2853	+	8
	2854	+	9
	2855	+	10
	2856	+	11
	2857	+	12
	2858	+	13
	2859	+	14
	2860	+	15
	2861	+	16
	2862	+	17
	2863	+	18
	2864	+	19
	2865	+	20
	2866	+	21
	2867	+	22
	2868	+	23
	2869	+	24
	2870	+
	2871	+	d. personal financial information, credit reports or
	2872	+	other financial data obtained by or submitted to a
	2873	+	public body for the purpose of evaluating credit
	2874	+	worthiness, obtaining a license, permit or for the
	2875	+	purpose of becoming qualified to contract with a
	2876	+	public body,
	2877	+	e. any digital audio/video recordings of the toll
	2878	+	collection and safeguarding activities of the Oklahoma
	2879	+	Transportation Authority,
	2880	+	f. any personal information provided by a guest at any
	2881	+	facility owned or operated by the Oklahoma Tourism and
	2882	+	Recreation Department to obtain any service at t he
	2883	+	facility or by a purchaser of a product sold by or
	2884	+	through the Oklahoma Tourism and Recre ation
	2885	+	Department,
	2886	+	g. a Department of Defense Form 214 (DD Form 214) filed
	2887	+	with a county clerk including any DD Form 214 filed
	2888	+	before July 1, 2002,
	2889	+	h. except as provided for in Section 2 -110 of Title 47 of
	2890	+	the Oklahoma Statutes,:
	2891	+	(1) any record in connectio n with a Motor Vehicle
	2892	+	Report issued by the Department of Public Safety,
	2893	+	as prescribed in Section 6-117 of Title 47 of the
	2894	+	Oklahoma Statutes, or
	2895	+
	2896	+	ENGR. S. B. NO. 543 Page 29 1
	2897	+	2
	2898	+	3
	2899	+	4
	2900	+	5
	2901	+	6
	2902	+	7
	2903	+	8
	2904	+	9
	2905	+	10
	2906	+	11
	2907	+	12
	2908	+	13
	2909	+	14
	2910	+	15
	2911	+	16
	2912	+	17
	2913	+	18
	2914	+	19
	2915	+	20
	2916	+	21
	2917	+	22
	2918	+	23
	2919	+	24
	2920	+
	2921	+	(2) personal information within driver records, as
	2922	+	defined by the Driver ’s Privacy Protection Act,
	2923	+	18 United States Code, Sections 2721 thr ough
	2924	+	2725, which are stored and maintained by the
	2925	+	Department of Public Safety, or
	2926	+	i. any portion of any document or information provided to
	2927	+	an agency or entity of the state or a political
	2928	+	subdivision to obtain licensure under th e laws of this
	2929	+	state or a political subdivision that contains an
	2930	+	applicant’s personal address, personal phone number,
	2931	+	personal electronic mail address or other contact
	2932	+	information. Provided, how ever, lists of persons
	2933	+	licensed, the existence of a license o f a person, or a
	2934	+	business or commercial address, or other business or
	2935	+	commercial information disclosable under state law
	2936	+	submitted with an application for licensure shall be
	2937	+	public record, or
	2938	+	j. information relating to a cybersecurity event reported
	2939	+	to the Insurance Commissioner purs uant to the
	2940	+	Insurance Data Security Act;
	2941	+	2. “Public body” shall include, but not be limited to, any
	2942	+	office, department, board, bureau, commission, agency, trusteesh ip,
	2943	+	authority, council, committee, trust or any entity cr eated by a
	2944	+	trust, county, city, village, town, township, district, school
	2945	+
	2946	+	ENGR. S. B. NO. 543 Page 30 1
	2947	+	2
	2948	+	3
	2949	+	4
	2950	+	5
	2951	+	6
	2952	+	7
	2953	+	8
	2954	+	9
	2955	+	10
	2956	+	11
	2957	+	12
	2958	+	13
	2959	+	14
	2960	+	15
	2961	+	16
	2962	+	17
	2963	+	18
	2964	+	19
	2965	+	20
	2966	+	21
	2967	+	22
	2968	+	23
	2969	+	24
	2970	+
	2971	+	district, fair board, court, executive office, advisory group, task
	2972	+	force, study group or any subdivision thereof, supported in whole or
	2973	+	in part by public funds or entrusted with th e expenditure of public
	2974	+	funds or administering or operating public property, and all
	2975	+	committees, or subcommittees thereof. Except for the records
	2976	+	required by Section 24A.4 of this title, “public body” public body
	2977	+	does not mean judges, justices, the Council on Ju dicial Complaints,
	2978	+	the Legislature or legislators. “Public body” Public body shall not
	2979	+	include an organization that is exempt from federal income tax under
	2980	+	Section 501(c)(3) of the Internal Revenue Code of 1986, as amended,
	2981	+	and whose sole beneficiary is a college or university, or an
	2982	+	affiliated entity of the college or university, that is a member of
	2983	+	The Oklahoma State System of Higher Education. Such organization
	2984	+	shall not receive direct appropria tions from the Oklahoma
	2985	+	Legislature. The following persons shall not be eligible to serve
	2986	+	as a voting member of the governing board of the organization:
	2987	+	a. a member, officer, or employee of the Oklahoma State
	2988	+	Regents for Higher Education,
	2989	+	b. a member of the board of regents or other governing
	2990	+	board of the college or university that is the sole
	2991	+	beneficiary of the organization, or
	2992	+	c. an officer or employee of the college or university
	2993	+	that is the sole beneficiary of the organization;
	2994	+
	2995	+	ENGR. S. B. NO. 543 Page 31 1
	2996	+	2
	2997	+	3
	2998	+	4
	2999	+	5
	3000	+	6
	3001	+	7
	3002	+	8
	3003	+	9
	3004	+	10
	3005	+	11
	3006	+	12
	3007	+	13
	3008	+	14
	3009	+	15
	3010	+	16
	3011	+	17
	3012	+	18
	3013	+	19
	3014	+	20
	3015	+	21
	3016	+	22
	3017	+	23
	3018	+	24
	3019	+
	3020	+	3. “Public office” means the physical lo cation where public
	3021	+	bodies conduct busine ss or keep records;
	3022	+	4. “Public official” means any official or employee of any
	3023	+	public body as defined herein; and
	3024	+	5. “Law enforcement agency” means any public body charged with
	3025	+	enforcing state or local criminal laws and initiating criminal
	3026	+	prosecutions including, but not limited to, police departments,
	3027	+	county sheriffs, the Department of Public Safety, the Oklahoma State
	3028	+	Bureau of Narcotics and Dangerous Drugs Control, the Alcoholic
	3029	+	Beverage Laws Enforcement Commi ssion, and the Oklahoma State Bureau
	3030	+	of Investigation.
	3031	+	SECTION 24. This act shall become effective November 1, 20 23.
	3032	+	Passed the Senate the 20th day of March, 2023.
859	3033
860	3034
861	3035
862	3036		Presiding Officer of the Senate
863	3037
864	3038
865		-	Passed the House of Representatives the 25th day of April, 2024.
	3039	+	Passed the House of Representatives the ____ day of __________,
	3040	+	2023.
866	3041
867	3042
868	3043
869	3044		Presiding Officer of the House
870	3045		of Representatives
871	3046
872		-	OFFICE OF THE GOVERNOR
873		-	Received by the Office of the Governor this _______ _____________
874		-	day of _________________ __, 20_______, at _______ o'clock _______ M.
875		-	By: _________________________________
876		-	Approved by the Governor of the State of Oklahoma this _______ __
877		-	day of _________________ __, 20_______, at _______ o'clock _______ M.
878		-
879		-	_________________________________
880		-	Governor of the State of Oklahoma
881		-
882		-
883		-	OFFICE OF THE SECRETARY OF STATE
884		-	Received by the Office of the Secretary of State this _______ ___
885		-	day of _________________ _, 20 _______, at _______ o'clock _______ M.
886		-	By: _________________________________
	3047	+