​Insurance Data Security

On June 14, 2023, Governor Shapiro signed Act 2 of 2023 (HB 739), which requires insurance licensees to take specific actions to safeguard consumers' information. This legislation was derived from model legislation developed by the National Association of Insurance Commissioners, incorporating input from all participating state insurance commissioners, industry stakeholders and consumer representatives. The Act defines the requirements applicable to a licensee and establishes standards for data security, cybersecurity investigations and notification to the Commissioner of cybersecurity events. Act 2 becomes effective December 11, 2023.

Key Implementation Dates

• December 11, 2023, the Act becomes effective. This requires, among other things, that a licensee investigate a cybersecurity event and notify the Commissioner as promptly as possible, but in no event later than five business days after determining that a cybersecurity event has occurred when certain criteria are met.
• December 11, 2024, licensees must have implemented the requirements regarding Risk Assessment, Information Security Program, and Corporate Oversight.  
• December 11, 2025, licensees must have implemented the additional requirements regarding oversight of third-party service providers that maintain, process, store, or otherwise permit access to non-public information through the provision of services to the licensee. Information related to third-party service providers is located under § 4515 of the Act.
• No later than April 15, 2026, each insurer must annually submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in the Act. Information related to certification is located under § 4516 of the Act.

Next Steps

Questions

Questions concerning the Act or, to report a cybersecurity event, can be sent to RA-INdatasecurity@pa.gov.