California Insurance Information and Privacy Protection Act, Cal Ins. Code § 791 et seq. |
Type of Data Covered |
Deadline for Notification |
Government Notice |
Computerized personal information of California residents. |
Notification must be made in the most expedient time possible and without unreasonable delay. |
Insurance Commissioner |
Subject Entities |
All insurers, insurance producers, and insurance support organizations registered with the California Insurance Commissioner. |
Definitions |
“Cybersecurity Incident” A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a California resident (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. “Insurance Institution” means any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd’s insurer, fraternal benefit society, or other person engaged in the business of insurance. “Insurance institution” shall not include agents, insurance-support organizations, or health care service plans regulated pursuant to the Knox-Keene Health Care Service Plan Act, Chapter 2.2. “Insurance-support organization” means:
|
Methods of Compliance | Insurers, insurance producers, and insurance support organizations must comply with the collection, use, and disclosure of information in accordance with Sections 791.04 – 791.09 of the Insurance Information and Privacy Protection Act. |
Government Notice Requirements |
All insurers, insurance producers, and insurance support organizations must provide the Insurance Commissioner with any notices or information submitted to the California Attorney General’s Office in accordance with the California Data Breach Notification Statute (Cal. Civ. Code § 1798.82(f)). This notice must also include sample copies, excluding personal information, of any security breach notices provided to consumers. This information should be provided to the Insurance Commissioner via the following designated email: DataBreach@insurance.ca.gov. |
Consumer Notice Requirements |
Consumers must be notified of a security incident impacting their personal information in accordance with the requirements provided in the California Data Breach Notification Statute (Cal. Civ. Code § 1798.82). Notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. |
Last updated: January 2024