An Act
ENROLLED SENATE
BILL NO. 543 By: Pemberton of the Senate
and
Sneed of the House
An Act relating to insurance data security; creating
the Insurance Data Security Act; providing short
title; establishing act jurisdiction; construing
provision; defining terms; requiring licensees to
develop data security program with certain
inclusions; establishing intent of security programs
created pursuant to act; directing licensee to
conduct risk assessment; directing licensee to take
certain action following risk assessment result;
requiring certain supervising boards to take certain
actions to implement program; requiring licensee to
contract with third-party service provider subject to
certain conditions; requiring licensee to maintain
updates and revisions to program; requiring licensee
develop incident response plan; requiring certain
reports be submitted to the Insurance Commissioner;
requiring insurer to maintain certain records for
specific time period; requiring investigation after
certain cybersecurity event; establishing
investigation process; requiring notification of
certain event to the Commissioner; requiring
compliance with certain state laws; providing for
certain exemption; providing for the Commissioner to
investigate certain licensees for cert ain violations;
providing for confidentiality of certain information
relating to cybersecurity event; allowing
Commissioner to share certain data with national
association; construing provision; providing for rule
promulgation; providing certain exceptions to act;
establishing penalties; providing for codification;
providing an effective date ; and declaring an
emergency.
ENR. S. B. NO. 543 Page 2
SUBJECT: Insurance Data Security Act
BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
SECTION 1. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 670 of Title 36, unless there is
created a duplication in numbering, reads as follows:
This act shall be known and may be cited as the “Insurance Data
Security Act”.
SECTION 2. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 671 of Title 36, unless there is
created a duplication in numbering, reads as follows:
A. Notwithstanding any other provision of law, the provisions
of this act shall be the exclusive state law for licensees subject
to the jurisdiction of the Insurance Commissioner for data security,
the investigation of a cybersecurity event, and notification to the
Commissioner.
B. This act shall not be construed to c reate or imply a private
cause of action for violations of its provisions.
SECTION 3. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 672 of Title 36, unless there is
created a duplication in numberi ng, reads as follows:
As used in this act:
1. “Authorized individual” means an individual known to and
screened by the licensee and determined to be necessary and
appropriate to have access to the nonpublic information held by the
licensee and its infor mation systems;
2. “Commissioner” means the Insurance Commissioner;
ENR. S. B. NO. 543 Page 3
3. “Consumer” means an individual, including but not limited to
applicants, policyholders, insureds, beneficiaries, claimants, and
certificate holders, who is a resident of this state and whose
nonpublic information is in the possession, custody, or control of a
licensee;
4. “Cybersecurity event” means an event resulting in
unauthorized access to or disruption or misuse of an information
system or nonpublic information stored on the information system.
The term cybersecurity event shall not include the unauthorized
acquisition of encrypted nonpublic information if the encryption,
process, or key is not also acquired, released, or used without
authorization. Cybersecurity event shall not include an event in
which the licensee has determined that the nonpublic information
accessed by an unauthorized person has not been used or released and
has been returned or destroyed;
5. “Department” means the Insurance Department;
6. “Encrypted” means the transformation of data into a form
which results in a low probability of assigning meaning without the
use of a protective process or key;
7. “Information security program” means the administrative,
technical, and physical safeguards that a li censee uses to access,
collect, distribute, process, protect, store, use, transmit, dispose
of, or otherwise handle nonpublic information;
8. “Information system” means a discrete set of electronic
information resources organized for the collection, proc essing,
maintenance, use, sharing, dissemination or disposition of nonpublic
information, as well as any specialized system such as industrial or
process controls systems, telephone switching and private branch
exchange systems, and environmental control s ystems;
9. “Licensee” means any person licensed, authorized to operate,
or registered, or required to be licensed, authorized to operate, or
registered, pursuant to Title 36 of the Oklahoma Statutes; provided,
however, that it shall not include a purchas ing group or a risk
retention group chartered and licensed in a state other than this
state or a person that is acting as an assuming insurer that is
domiciled in another state or jurisdiction;
ENR. S. B. NO. 543 Page 4
10. “Multi-factor authentication” means authentication throu gh
verification of at least two (2) of the following types of
authentication factors:
a. knowledge factors, such as a password,
b. possession factors, such as a token or text message on
a mobile phone, or
c. inherence factors, such as a biometric charac teristic;
11. “Nonpublic information” means electronic information that
is not publicly available and is:
a. business related information of a licensee, of which
the tampering with or unauthorized disclosure, access,
or use of would cause a material adv erse impact to the
business, operations, or security of the licensee,
b. any information concerning a consumer that, because of
name, number, personal mark, or other identifier, can
be used to identify him or her, in combination with
any one or more of th e following data elements:
(1) social security number,
(2) driver license number or nondriver identification
card number,
(3) financial account number, credit card number, or
debit card number,
(4) any security code, access code, or password that
would permit access to a consumer’s financial
account, or
(5) biometric records, or
c. any information or data, except age or gender, in any
form or medium created by or derived from a health
ENR. S. B. NO. 543 Page 5
care provider or a consumer that can be used to
identify a particular consumer and that relates to:
(1) the past, present, or future physical, mental, or
behavioral health or condition of any consumer or
a member of the family of the consumer,
(2) the provision of health care to any consumer, or
(3) payment for the provision of health care to any
consumer;
12. “Person” means any individual or any nongovernmental
entity including, but not limited to, any nongovernmental
partnership, corporation, branch, agency, or asso ciation;
13. “Publicly available information” means any information that
a licensee has reasonable basis to believe is lawfully made
available to the general public from federal, state, or local
government records, widely distributed media, or disclosures to the
general public that are required to be made by federal, state, or
local law. For the purposes of this definition, a licensee has a
reasonable basis to believe that information is lawfully made
available to the general public if the licensee has taken steps to
determine:
a. that the information is of the type that is availa ble
to the general public, and
b. whether a consumer can direct that the information not
be made available to the general public and, if so,
that such consumer has not done so; and
14. “Third-party service provider” means a person, not
otherwise defined as a licensee, that contracts with a licensee to
maintain, process, store, or otherwise is permitted access to
nonpublic information through its provision of services to the
licensee.
SECTION 4. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 673 of Title 36, unless there is
created a duplication in numbering, reads as follows:
ENR. S. B. NO. 543 Page 6
A. Each licensee in this state shall develop, implement, and
maintain a comprehensive written information security program based
on the risk assessment of the licensee provided for in this act and
that contains administrative, technical, and physical safeguards for
the protection of nonpublic in formation and the information systems
of the licensee. The program shall be commensurate with the size and
complexity of the licensee, the nature and scope of the activities
of the licensee, including its use of third-party service providers,
and the sensitivity of the nonpublic information used by the
licensee or in the possession, custody, or control of the licensee.
B. An information security program of a licensee shall be
designed to:
1. Protect the security and confidentiality of nonpublic
information and the security of the information systems;
2. Protect against any threats or hazards to the security or
integrity of nonpublic information and the information systems;
3. Protect against unauthorized access to or use of nonpublic
information, and minimize the likelihood of harm to any consumer;
and
4. Define and periodically reevaluate a schedule for retention
of nonpublic information and a mechanism for its destruction when no
longer needed.
C. The licensee shall:
1. Designate one or more employees, an affiliate, or an outside
vendor designated to act on behalf of the licensee who is
responsible for the information security program;
2. Identify reasonably foreseeable internal or external threats
that could result in unauthorized access, trans mission, disclosure,
misuse, alteration, or destruction of nonpublic information
including, but not limited to, the security of information systems
and nonpublic information that are accessible to, or held by, third-
party service providers;
ENR. S. B. NO. 543 Page 7
3. Assess the likelihood and potential damage of these threats,
taking into consideration the sensitivity of the nonpublic
information;
4. Assess the sufficiency of policies, procedures, information
systems, and other safeguards in place to manage these threats,
including consideration of threats in each relevant area of the
operations of the li censee, including:
a. employee training and management,
b. information systems, including, but not limited to,
network and software design, as well as information
classification, governance, processing, s torage,
transmission, and disposal, and
c. detecting, preventing, and responding to attacks,
intrusions, or other systems failures; and
5. Implement information safeguards to manage the threats
identified in its ongoing assessment, and no less than annually,
assess the effectiveness of the key controls, systems, and
procedures of the safeguards.
D. Based on the results of the risk assessment, the licensee
shall:
1. Design its information security program to mitigate the
identified risks, commensurate with the size and complexity of the
licensee, the nature and scope of the activities of the licensee
including its use of third-party service providers, and the
sensitivity of the nonpublic information used by the licensee or in
the possession, custody, or control of the licensee;
2. Determine and implement security measures deemed
appropriate, including:
a. place access controls on information systems
including controls to authenticate and permit access
only to authorized individuals to protect against the
unauthorized acquisition of nonpublic information,
ENR. S. B. NO. 543 Page 8
b. identify and manage the data, personnel, devices,
systems, and facilities that enable the organization
to achieve business purposes in acco rdance with their
relative importance to business objectives and the
risk strategy of the organization,
c. restrict physical access to nonpublic information to
authorized individuals only,
d. protect by encryption or other appropriate means, all
nonpublic information while being transmitted over an
external network and all nonpublic information stored
on a laptop computer or other portable computing or
storage device or media,
e. adopt secure development practices for in-house
developed applications utilized by the licensee,
f. modify the information system in accordance with the
information security program of the licensee,
g. utilize effective controls, which may include multi-
factor authentication procedures for any authorized
individual accessing nonpublic information,
h. regularly test and monitor systems and procedures to
detect actual and attempted attacks on, or intrusions
into, information systems,
i. include audit trails within the information security
program designed to detect and respond to
cybersecurity events and designed to reconstruct
material financial transactions sufficient to support
normal operations and ob ligations of the licensee,
j. implement measures to protect against destruction,
loss, or damage of nonpublic information due to
environmental hazards such as fire and water damage or
other catastrophic events or technological failures,
and
ENR. S. B. NO. 543 Page 9
k. develop, implement, and maintain procedures for the
secure disposal of nonpublic information in any format;
3. Include cybersecurity risks in the enterprise risk management
process of the licensee;
4. Stay informed regarding emerging threats or vulnerabilities
and utilize reasonable security measures when sharing information
relative to the character of the sharing and the type of information
shared; and
5. Provide its personnel with cybersecurity awareness training
that is updated as necessary to reflect risks identified by the
licensee in the risk assessment.
E. If the licensee has a board of directors, the board or an
appropriate committee of the board, at a minimum, within one year of
the effective date o f this act, shall:
1. Require the executive management of the licensee or its
delegates to develop, implement, and maintain the information
security program of the licensee;
2. Require the executive management of the licensee or its
delegates to report to the Insurance Commissioner in writing, at
least annually, the following information:
a. the overall status of the information security program
and the compliance of the licensee with this act, and
b. material matters related to the information securi ty
program, addressing issues such as risk assessment,
risk management and control decisions, third -party
service provider arrangements, results of testing,
cybersecurity events or violations and responses of
the management to those events or violations, a nd
recommendations for changes in the information
security program; and
3. If executive management delegates any of its
responsibilities, it shall oversee the development, implementation,
and maintenance of the information security program of the license e
ENR. S. B. NO. 543 Page 10
prepared by the delegate or delegates and shall receive a report
from the delegate or delegates complying with the requirements of
the report to the board.
F. A licensee shall exercise due diligence in selecting its
third-party service provider and sha ll require the provider to
implement appropriate administrative, technical, and physical
measures to protect and secure the information systems and nonpublic
information that are accessible to, or held by, the third -party
service provider.
G. The licensee shall monitor, evaluate, and adjust, as
appropriate, the information security program consistent with any
relevant changes in technology, the sensitivity of its nonpublic
information, internal or external threats to information and the
changing business arrangements of the licensee, such as mergers and
acquisitions, alliances and joint ventures, outsourcing
arrangements, and changes to information systems.
H. As part of its information security program, each licensee
shall establish a written incident r esponse plan designed to
promptly respond to, and recover from, any cybersecurity event that
compromises the confidentiality, integrity, or availability of
nonpublic information in its possession, the information systems of
the licensee, or the continuing functionality of any aspect of the
business or operations of the licensee.
The incident response plan shall address the following areas:
1. The internal process for responding to a cybersecurity
event;
2. The goals of the incident response plan;
3. The definition of clear roles, responsibilities, and levels
of decision-making authority;
4. External and internal communications and information
sharing;
ENR. S. B. NO. 543 Page 11
5. Identification of requirements for the remediation of any
identified weaknesses in information systems and associated
controls;
6. Documentation and reporting regarding cybersecurity events
and related incident response activities; and
7. The evaluation and revision as necessary of the incident
response plan following a cybersecurity event.
I. Annually, each insurer domiciled in this state shall submit
to the Commissioner a written statement by April 15, certifying that
the insurer complies with the requirements set forth in this section.
Each insurer shall maintain, for examination by the Insurance
Department, all records, schedules, and data supporting this
certificate for a period of five (5) years. To the extent an
insurer has identified areas, syste ms, or processes that require
material improvement, updating, or redesign, the insurer shall
document the identification and the remedial efforts planned and
underway to address such areas, sys tems, or processes. The
documentation shall be available for inspection by the Commissioner
upon request.
SECTION 5. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 674 of Title 36, unless there is
created a duplication in numbering, reads as follows:
A. If the licensee learns that a cybersecurity event has or
may have occurred, the licensee, or an outside vendor or service
provider designated to act on behalf of the licensee, shall conduct
a prompt investigation.
B. During the investigation, the licensee, or an outside vendor
or service provider designated to act on behalf of the licensee,
shall, at a minimum:
1. Determine whether a cybersecurity event has occurred;
2. Assess the nature and scope of the cybersecurity event;
3. Identify any nonpublic information that may have been
involved in the cybersecurity event; and
ENR. S. B. NO. 543 Page 12
4. Perform or oversee reasonable measures to restore the
security of the information systems compromised in the cybersecurity
event in order to prevent further unauthorized acquisition, release,
or use of nonpublic information in the possession, custody, or
control of the licensee.
C. If the licensee learns that a cybersecurity event has or may
have occurred in a system maintained by a third -party service
provider, the licensee shall complete the steps listed in subsection
B of this section or confirm and document that the third-party
service provider has completed those steps.
D. The licensee shall maintain records concerning all
cybersecurity events for a period of at least five (5) years from
the date of the cybersecurity event and shall produce those records
upon request by the Insurance Commissioner.
SECTION 6. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 675 of Title 36, unless there is
created a duplication in numbering, reads as follows:
A. Every licensee shall notify the Insurance Commissioner
without unreasonable delay, but not later than three business days,
from a determination that a cybersecurity event involving nonpublic
information that is in the possession of a licensee has occurred
when either of the following criteria has been met:
1. This state is the state of domicile of the licensee, in the
case of an insurer, or this state is the home state of the licensee,
in the case of a producer, as those terms are defined in the
Oklahoma Producer Lice nsing Act, Sections 1435.1 through 1435.41 of
Title 36 of the Oklahoma Statutes, and the cybersecurity event has a
reasonable likelihood of materially harming any material part of the
normal operations of the licensee or any consumer residing in this
state; or
2. The licensee reasonably believes that the nonpublic
information involved is of two hundred fifty (250) or more consumers
residing in this state and is either of the following:
ENR. S. B. NO. 543 Page 13
a. a cybersecurity event impacting the licensee of which
notice is required to be provided to any government
body, self-regulatory agency, or any other supervisory
body pursuant to any state or federal law, or
b. a cybersecurity event that has a reasonable likelihood
of materially harming:
(1) any consumer residing in thi s state, or
(2) any material part of the normal operation or
operations of the licensee.
B. The licensee making the notification required in subsection
A of this section shall provide as much of the following information
as possible, electronically in t he manner and form prescribed by the
Commissioner, along with any applicable fees. The licensee shall
have a continuing obligation to update and supplement initial and
subsequent notifications to the Commissioner regarding material
changes to previously p rovided information relating to the
cybersecurity event. The licensee shall provide:
1. Date of the cybersecurity event;
2. Description of how the information was exposed, lost,
stolen, or breached including, but not limited to, the specific
roles and responsibilities of third -party service providers, if any;
3. How the cybersecurity event was discovered;
4. Whether any lost, stolen, or breached information has been
recovered and, if so, how this was done;
5. The identity of the source of the cyb ersecurity event;
6. Whether the licensee has filed a police report or has
notified any regulatory, government, or law enforcement agencies
and, if so, when such notification was provided;
7. Description of the specific types of information acquired
without authorization. The term “specific types of information”
means particular data elements including, but not limited to, types
ENR. S. B. NO. 543 Page 14
of medical information, financial information, or information
allowing identification of the consumer;
8. The period during which the information system was
compromised by the cybersecurity event;
9. The number of total consumers in this state affected by the
cybersecurity event. The licensee shall provide the best estimate
in the initial report to the Commissioner and upda te this estimate
with each subsequent report to the Commissioner pursuant to this
section;
10. The results of any internal review identifying a lapse in
either automated controls or internal procedures, or confirming that
all automated controls or intern al procedures were followed;
11. Description of efforts being undertaken to remediate the
situation which permitted the cybersecurity event to occur;
12. A copy of the privacy policy of the licensee and a
statement outlining the steps the licensee will take to investigate
and notify consumers affected by the cybersecurity event; and
13. Name of a contact person who is both familiar with the
cybersecurity event and authorized to act for the licensee.
C. A licensee shall comply with the procedures of the Security
Breach Notification Act, Section 161 et seq. of Title 24 of the
Oklahoma Statutes, to notify affected consumers and provide a copy
of the notice sent to consumers under that statute to the
Commissioner, when a licensee is required to notify th e Commissioner
under subsection A of this section.
D. 1. In the case of a cybersecurity event in a system
maintained by a third -party service provider, of which the licensee
has become aware, the licensee shall treat the event as it would
under subsection A of this section unless the third -party service
provider provides the notice required under subsection A of this
section to the Commissioner and the licensee.
2. The computation of deadlines of the licensee shall begin on
the day after the third -party service provider notifies the licensee
ENR. S. B. NO. 543 Page 15
of the cybersecurity event or the licensee otherwise has actual
knowledge of the cybersecurity event, whichever is sooner.
3. Nothing in this act shall prevent or abrogate an agreement
between a licensee and anoth er licensee, a third -party service
provider, or any other party to fulfill any of the investigation
requirements or notice requirements imposed under this act.
E. 1. In the case of a cybersecurity event involving nonpublic
information that is used by th e licensee that is acting as an
assuming insurer, or in the possession, custody, or control of a
licensee, that is acting as an assuming insurer and that does not
have a direct contractual relationship with the affected consumers,
the assuming insurer shal l notify its affected ceding insurers and
the Commissioner of its state of domicile within three (3) business
days of making the determination that a cybersecurity event has
occurred. The ceding insurers that have a direct contractual
relationship with af fected consumers shall fulfill the consumer
notification requirements imposed under the Security Breach
Notification Act, Section 161 et seq. of Title 24 of the Oklahoma
Statutes, and any other notification requirements relating to a
cybersecurity event im posed under this section.
2. In the case of a cybersecurity event involving nonpublic
information that is in the possession, custody, or control of a
third-party service provider of a licensee that is an assuming
insurer, the assuming insurer shall notif y its affected ceding
insurers and the Commissioner of its state of domicile within three
(3) business days of receiving notice from its third -party service
provider that a cybersecurity event has occurred. The ceding
insurers that have a direct contractu al relationship with affected
consumers shall fulfill the consumer notification requirements
imposed under Security Breach Notification Act, Section 161 et seq.
of Title 24 of the Oklahoma Statutes, and any other notification
requirements relating to a cyb ersecurity event imposed under this
section.
F. In the case of a cybersecurity event involving nonpublic
information that is in the possession, custody, or control of a
licensee that is an insurer or its third -party service provider for
which a consumer accessed the services of the insurer through an
independent insurance producer, and for which consumer notice is
ENR. S. B. NO. 543 Page 16
required by this act or the Security Breach Notification Act,
Section 161 et seq. of Title 24 of the Oklahoma Statutes, the
insurer shall notify the producers of record of all affected
consumers of the cybersecurity event no later than the time at which
notice is provided to the affected consumers. The insurer is
excused from this obligation for any producers who are not
authorized by law or con tract to sell, solicit, or negotiate on
behalf of the insurer, and in those instances in which the insurer
does not have the current producer of record information for an
individual consumer. Any licensee acting as an assuming insurer
shall have no other notice obligations relating to a cybersecurity
event or other data breach under this section or any other law of
this state.
SECTION 7. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 676 of Title 36 , unless there is
created a duplication in numbering, reads as follows:
A. The Insurance Commissioner shall have power to examine and
investigate the affairs of any licensee to determine whether the
licensee has been or is engaged in any conduct in violation of the
provisions of this act or any rules promulgated thereto. This power
is in addition to the powers which the Commissioner has under
applicable provisions of the Insurance Code including, but not
limited to, Sections 309.1 through 309.6, 332, and 1250.4 of Title
36 of the Oklahoma Statutes .
B. Whenever the Commissioner has reason to believe that a
licensee has been or is engaged in conduct in this state that
violates any provision of this act, the Commissioner may take action
that is necessary or appropriate to enforce the provisions.
SECTION 8. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 677 of Title 36, unless there is
created a duplication in numbering, reads as follows:
A. Any documents, materials, or other information in the
control or possession of the Insurance Department that are furnished
by a licensee or an employee or agent thereof acting on behalf of a
licensee pursuant to the provisions of Section 4 and Section 6 of
this act or that are obtained by the Insurance Commissioner in an
investigation or examination pursuant to Section 7 of this act shall
ENR. S. B. NO. 543 Page 17
be confidential by law and privileged, shall not be subject to the
Oklahoma Open Records Act, shall not be subject to subpoena, and
shall not be subject to discovery or admissible in evidence in any
private civil action. However, the Commissioner is authorized to
use the documents, materials, or other information in the
furtherance of any regulatory or legal action brought as a p art of
the Commissioner’s duties. The Commissioner shall not otherwise
make the documents, materials, or other information public without
the prior written consent of the licensee.
B. Neither the Commissioner nor any person who received
documents, materials, or other information while acting under the
authority of the Commissioner shall be permitted or required to
testify in any private civil action concerning any confidential
documents, materials, or information subject to subsection A of this
section.
C. In order to assist in the performance of the duties of the
Commissioner under this act, the Commissioner:
1. May share documents, materials, or other information
including the confidential and privileged documents, materials, or
information subject to subsection A of this section, with other
state, federal, and international regulatory agencies, with the
National Association of Insurance Commissioners and its affiliates
or subsidiaries and with state, federal, and international law
enforcement authorities; provided, that the recipient agrees in
writing to maintain the confidentiality and privileged status of the
document, material, or other information;
2. May receive documents, materials, or information including
otherwise confidential and privileg ed documents, materials, or
information, from the National Association of Insurance
Commissioners, its affiliates or subsidiaries, and from regulatory
and law enforcement officials of other foreign or domestic
jurisdictions, and shall maintain as confident ial or privileged any
document, material, or information received with notice or the
understanding that it is confidential or privileged under the laws
of the jurisdiction that is the source of the document, material, or
information;
ENR. S. B. NO. 543 Page 18
3. May share documents, materials, or other information subject
to subsection A of this section, with a third-party consultant or
vendor; provided, the consultant agrees in writing to maintain the
confidentiality and privileged status of the document, material, or
other information; and
4. May enter into agreements governing sharing and use of
information consistent with this subsection.
D. No waiver of any applicable privilege or claim of
confidentiality in the documents, materials, or information shall
occur as a result of disclosure to the Insurance Commissioner under
this section or as a result of sharing as authorized in subsection C
of this section.
E. Nothing in this act shall prohibit the Commissioner from
releasing final, adjudicated actions that are open to public
inspection pursuant to the Oklahoma Open Records Act, to a database
or other clearinghouse service maintained by the National
Association of Insurance Commissioners, its affiliates, or
subsidiaries.
F. Documents, materials, or other information in the possession
or control of the National Association of Insurance Commissioners or
a third-party consultant or vendor pursuant to this act shall not be
construed to be public information, shall not be subject to the
Oklahoma Open Records Act, shall not be su bject to subpoena, and
shall not be subject to discovery or admissible as evidence in any
private civil action.
SECTION 9. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 678 of Title 36, unless ther e is
created a duplication in numbering, reads as follows:
A. The Insurance Commissioner may promulgate any rules
necessary to carry out the provisions of this section.
B. 1. The following exceptions shall apply to this act:
a. a licensee with less t han Five Million Dollars
($5,000,000.00) in gross annual revenue, is exempt
from this act,
ENR. S. B. NO. 543 Page 19
b. a licensee subject to the Health Insurance Portability
and Accountability Act, Pub. L. 104 –191, 110 Stat.
1936, as amended, that has established and maintains
an information security program pursuant to such
statutes, rules, regulations, procedures, or
guidelines established thereunder, will be considered
to meet the requirements of Section 4 of this act,
provided that the licensee is compliant with and
submits a written statement to the Commissioner
certifying its compliance with the same,
c. a licensee subject to Title V of the federal Gramm -
Leach-Bliley Act of 1999 (15 U.S.C. Sections 6801-6809
and 6821-6827) that has established and maintains an
information security program pursuant to such,
statutes, rules, regulations, procedures, or
guidelines established thereunder, will be considered
to meet the requirements of Section 4 of this act,
provided that the licensee is compliant with and
submits a written statem ent to the Commissioner
certifying its compliance with the same, and
d. an employee, agent, representative, or designee of a
licensee, who is also a licensee, is exempt from this
act and shall not be required to develop their own
information security prog ram to the extent that the
employee, agent, representative, or designee is
covered by the information security program of the
licensee.
2. If a licensee ceases to qualify for an exception, the
licensee shall have one hundred eighty (180) days to comply w ith the
provisions of this act.
C. In the case of a violation of this act, a licensee may be
penalized in accordance with any applicable sections of the
Insurance Code, including, but not limited to, Section 908 of Title
36 of the Oklahoma Statutes, or a ny other provision providing for
penalties that the licensee is subject to under the license or
permit of the licensee. Nothing in this act shall be construed to
ENR. S. B. NO. 543 Page 20
impose any civil liability for any violation of this act or omission
to act by the licensee o r employees of the licensee.
D. The provisions of this act shall take precedence over any
other state laws applicable to licensees for data security and the
investigation of a cybersecurity event.
SECTION 10. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 679 of Title 36, unless there is
created a duplication in numbering, reads as follows:
Licensees shall have one (1) year from the effective date of
this act to implement Section 4 of this act and two (2) years from
the effective date of this act to implement subsection F of Section
4 of this act.
SECTION 11. This act shall become effective July 1, 2024.
SECTION 12. It being immediately necessary for the preservatio n
of the public peace, health or safety, an emergency is hereby
declared to exist, by reason whereof this act shall take effect and
be in full force from and after its passage and approval.
ENR. S. B. NO. 543 Page 21
Passed the Senate the 21st day of May, 2024.
Presiding Officer of the Senate
Passed the House of Representatives the 25th day of April, 2024.
Presiding Officer of the House
of Representatives
OFFICE OF THE GOVERNOR
Received by the Office of the Governor this _______ _____________
day of _________________ __, 20_______, at _______ o'clock _______ M.
By: _________________________________
Approved by the Governor of the State of Oklahoma this _______ __
day of _________________ __, 20_______, at _______ o'clock _______ M.
_________________________________
Governor of the State of Oklahoma
OFFICE OF THE SECRETARY OF STATE
Received by the Office of the Secretary of State this _______ ___
day of _________________ _, 20 _______, at _______ o'clock _______ M.
By: _________________________________