SS/HCS/HBs 974, 57, 1032 & 1411 - This act enacts provisions relating to insurance modernization through standards governing digital systems.INSURANCE COMPANIES' DATA SECURITY (Sections 375.1400, 375.1402, 375.1405, 375.1407, 375.1410, 375.1412, 375.1415, 375.1417, 375.1420, 375.1422, 375.1425, and 375.1427)
This act enacts the "Insurance Data Security Act", establishing exclusive state standards for certain parties with regard to data security, investigation of cybersecurity events as defined in the act, and notification to the Director of the Department of Commerce and Insurance.
The act requires licensees to implement an information security program, as such term is defined in the act. Each licensee shall have a comprehensive information security program that is commensurate with the size and complexity of the licensee and the scope of its activities. The act specifies data protection objectives for the programs, as well as standards for risk assessment by licensees, and measures to be implemented in the information security programs. The act further details requirements for licensees' boards of directors or executive management with regard to the information security programs, and requires certain oversight of third-party service providers, as defined in the act. Licensees shall monitor their information security programs, and adjust them as appropriate consistent with relevant changes in technology and the licensees' activities. The act requires incident response plans as part of information security programs, as described in the act. Insurers domiciled in this state shall annually submit, by April 15, a written statement that the insurer is in compliance with the information security program requirements of the act, and shall maintain certain documentation for inspection by the Director of the Department of Commerce and Insurance for a period of 3 years.
The act also specifies procedures and standards for investigation of cybersecurity events, as well as requirements to notify regulators, consumers, other insurers, and insurance producers as detailed in the act if certain cybersecurity events occur. The Director of the Department of Commerce and Insurance shall have authority to enforce the act in the manner provided by law for enforcement of the insurance laws of this state.
Documents and other information furnished to the Department of Commerce and Insurance in accordance with the act shall be confidential and privileged from disclosure to other parties, as detailed in the act, and persons receiving documents or information under the Director's authority under the act shall not testify in any private civil action. In order to assist in the performance of the Director's duties under the act, the Director may receive documents and information which would otherwise be confidential and privileged, and may enter into agreements with other authorized parties.
Lastly, the act specifies certain exceptions to these provisions.
These provisions are subject to a severability clause.
These provisions contain a delayed effective date of January 1, 2026, and grants licensees additional time for the implementation of certain provisions. (Section 375.1427).
These provisions are identical to HCS/HB 436 (2025), and similar to SB 385 (2025), SB 1108 (2024), and HB 2316 (2024).
INSURANCE FOR CERTAIN USES OF MOTOR VEHICLES (Sections 379.1900, 379.1905, 379.1910, 379.1915, 379.1920, 379.1925, 379.1930, 379.1935, 379.1940, 379.1945, 379.1950, 379.1955, 379.1960, 379.1965, and 379.1970)
This act enacts the "Peer-to-Peer Car Sharing Program Insurance Act". Nothing in the act shall be construed to extend beyond insurance or have any implications for any other laws, or to distinguish or equate peer-to-peer car sharing programs and car rental companies.
The act requires peer-to-peer car sharing programs, as defined in the act, to assume liability for property damage and bodily injury in an amount at least equal to the coverage required under the Motor Vehicle Financial Responsibility Law, as detailed in the act, and specifies certain requirements for insurance coverage and the resolution of coverage disputes. (Section 379.1915).
At the time a vehicle owner registers on a peer-to-peer car sharing program, but before the owner makes a vehicle available for car sharing, the program shall provide notice that participation in the program may violate the terms of a contract with the holders of any liens on the vehicle. (Section 379.1920).
Motor vehicle insurers in this state may exclude any and all coverage under a shared motor vehicle owner's policy of motor vehicle liability insurance. (Section 379.1925).
Under the act, peer-to-peer car sharing programs shall collect and verify certain records pertaining to the use of a vehicle, and provide them upon request to the vehicle owner, vehicle owner's insurer, or the driver's insurer to facilitate the processing of insurance claims, and shall retain the records for a time period not less than the applicable personal injury statute of limitations. (Section 379.1930).
The act provides that peer-to-peer car sharing programs and shared vehicle owners shall be exempt from vicarious liability based solely on vehicle ownership (Section 379.1935), and specifies that motor vehicle insurers shall have the right to seek recovery against the peer-to-peer car sharing program's insurer for defending certain claims (Section 379.1940).
Peer-to-peer car sharing programs shall have an insurable interest in shared vehicles as specified in the act, but are not required to maintain the insurance coverage mandated in the act. (Section 379.1945).
The act outlines certain content peer-to-peer car sharing program agreements are required to include (Section 379.1950), and requires the peer-to-peer car sharing program to verify and keep records of certain information about drivers (Section 379.1955).
Peer-to-peer car sharing programs shall have sole responsibility for any equipment put in or on a vehicle to facilitate a car sharing transaction, and shall hold harmless the vehicle owner for any damage or theft occurring to the equipment during the car sharing period, but may seek compensation from the shared vehicle drivers for the damages or loss. (Section 379.1960).
Lastly, the act specifies parties' responsibilities regarding safety recalls. (Section 379.1965).
These provisions have a delayed effective date of January 1, 2026. (Section B).
These provisions are substantially similar to provisions in SCS/SB 181 (2025), and provisions in SB 904 (2024), and similar to SB 647 (2025), provisions in HB 1542 (2024), and provisions in HB 1243 (2023).
ERIC VANDER WEERD