On July 31, 2019, Governor Carney signed the Delaware Insurance Data Security Act (formerly, HB 174) into law. Based on the National Association Of Insurance Commissioners (NAIC) Insurance Data Security Model Law, the Delaware law establishes a regulatory framework requiring insurers licensed to do business in Delaware to develop and implement a comprehensive data security (or cybersecurity) program. It also requires insurers to report instances of data breaches to the Delaware Insurance Commissioner and consumers, and it empowers the Department of Insurance to investigate violations of the Act and levy penalties against insurance carriers.
According to the August 1, 2019 press release issued by the Delaware Department of Insurance:
Prior to the implementation of this law, there were no standards for insurance companies to follow regarding protection of consumers’ data, and notifying the Department. Historically, when an insurer determined that a data breach had occurred, notification to the Department of Insurance was delayed, sometimes by several months. Notably, this Act accomplishes the following:
- Requires insurance companies to implement information security programs and conduct risk assessments to try to prevent data breaches and compromising of consumers’ Nonpublic Information and personal data;
- Requires insurers to conduct thorough investigations to determine if a cybersecurity event or data breach may have occurred and whose data may have been compromised;
- Notify the Insurance Commissioner within three (3) business days of determining that a data breach or cybersecurity event has occurred;
- Mandates that insurers notify all impacted consumers within sixty (60) days of the determination that their data has or may have been compromised;
- Requires that insurers offer free credit monitoring services for one year to consumers impacted by breaches; and
- Endows the Commissioner with the power to investigate the affairs of any insurer to determine whether they have been engaged in any conduct in violation of this Act and take action accordingly.
Further and more detailed analysis of the Delaware Insurance Data Security Act will follow under a separate alert.