Insurance Data Security
Act 2 of 2023 (HB 739) requires insurance licensees to take specific actions to safeguard consumers' information, effective December 11, 2023. This legislation was derived from model legislation developed by the National Association of Insurance Commissioners, incorporating input from all participating state insurance commissioners, industry stakeholders, and consumer representatives. The Act defines the requirements applicable to a licensee and establishes standards for data security, cybersecurity investigations, and notification to the Commissioner of cybersecurity events.
Upcoming Key Implementation Dates
- December 11, 2024, licensees must have implemented the required elements relating to Risk Assessment, Information Security Program, and Corporate Oversight.
- December 11, 2025, licensees must have implemented the additional requirements regarding oversight of third-party service providers that maintain, process, store, or otherwise permit access to non-public information through the provision of services to the licensee. Information related to third-party service providers is located under § 4515 of the Act.
- No later than April 15, 2026, each insurer must annually submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements outlined in the Act. Information related to certification is located under § 4516 of the Act.
Submit a Cybersecurity Event Notification
A "cybersecurity event" is an event resulting in unauthorized access to, disruption of or misuse of an information system or nonpublic information stored on the information system. The term does not include:
- The unauthorized acquisition of encrypted nonpublic information if the encryption, process or key is not also acquired, released, or used without authorization.
- An event where the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
This Act requires, among other things, that a licensee investigate a cybersecurity event and notify the Commissioner as promptly as possible, but in no event later than five business days after determining that a cybersecurity event has occurred when certain criteria are met. If a cybersecurity event is not reported within 5 business days, the Licensee could face additional Department oversight, examinations, or even loss of license.
Submit a Notification of Cybersecurity Event to the Commissioner
Cybersecurity Event Examples
Below are common examples of cybersecurity events that would require a licensee to notify the Department. These breach examples include, but are not limited to:
- Theft
- Phishing
- Hacking
- Stolen/Lost Equipment
- DNS/Ransomware
- Improper Disclosure
- Improper Disposal
- Lost During Move
- Unauthorized Access
- Compromised Computer/Equipment
It is important to note that this list is not exhaustive and other circumstances not included on the list above may qualify as a Cybersecurity event and require the commissioner's notification. If you are unsure or have questions, please reach out via email to
RA-INdatasecurity@pa.gov.
Important Terminology
Licensees should be aware of the following terms used in cybersecurity event notifications.
- Incident Response Plan: a written document that guides IT professionals on how to respond and recover from a serious security incident.
- Unauthorized access: when someone connects to a system without permission, using someone else's account or other methods.
- Information system: a collection of components working together to collect, process, store, and share information for decision-making, coordination, and analysis.
- Non-public information: stored electronically, not publicly available, and includes business-related information that could harm the licensee if tampered with, consumer information that can identify them, and health-related information.
Questions
Questions concerning the Act or a Cybersecurity event notification can be sent to RA-INdatasecurity@pa.gov.