SB 1108 - This act enacts the "Insurance Data Security Act", establishing exclusive state standards for certain parties with regard to data security, investigation of cybersecurity events as defined in the act, and notification to the Director of the Department of Commerce and Insurance. The act requires licensees to implement an information security program, as such term is defined in the act. Each licensee shall have a comprehensive information security program that is commensurate with the size and complexity of the licensee and the scope of its activities. The act specifies data protection objectives for the programs, as well as standards for risk assessment by licensees, and measures to be implemented in the information security programs. The act further details requirements for licensees' boards of directors or executive management with regard to the information security programs, and requires certain oversight of third-party service providers, as defined in the act. Licensees shall monitor their information security programs, and adjust them as appropriate consistent with relevant changes in technology and the licensees' activities. The act requires incident response plans as part of information security programs, as described in the act. Insurers domiciled in this state shall annually submit, by April 15, a written statement that the insurer is in compliance with the information security program requirements of the act, and shall maintain certain documentation for inspection by the Director of the Department of Commerce and Insurance for a period of 5 years.
The act also specifies procedures and standards for investigation of cybersecurity events, as well as requirements to notify regulators, consumers, other insurers, and insurance producers as detailed in the act if certain cybersecurity events occur. The Director of the Department of Commerce and Insurance shall have authority to enforce the act in the manner provided by law for enforcement of the insurance laws of this state.
Documents and other information furnished to the Department of Commerce and Insurance in accordance with the act shall be confidential and privileged from disclosure to other parties, as detailed in the act, and persons receiving documents or information under the Director's authority under the act shall not testify in any private civil action. In order to assist in the performance of the Director's duties under the act, the Director may receive documents and information which would otherwise be confidential and privileged, and may enter into agreements with other authorized parties.
Lastly, the act specifies certain exceptions to the act.
This act contains a severability clause.
This act contains a delayed effective date of January 1, 2025, and grants licensees additional time for the implementation of certain provisions.
ERIC VANDER WEERD