California Insurance Information and Privacy Protection Act

California Insurance Information and Privacy Protection Act, Cal Ins. Code § 791 et seq.

California Insurance Department - Feb 5, 2015 Notice

Type of Data Covered

Deadline for Notification

Government Notice

Computerized personal information of California residents.

Notification must be made in the most expedient time possible and without unreasonable delay.

Insurance Commissioner

All insurers, insurance producers, and insurance support organizations registered with the California Insurance Commissioner.

“Cybersecurity Incident” A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a California resident (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable.

“Insurance Institution” means any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd’s insurer, fraternal benefit society, or other person engaged in the business of insurance. “Insurance institution” shall not include agents, insurance-support organizations, or health care service plans regulated pursuant to the Knox-Keene Health Care Service Plan Act, Chapter 2.2.

“Insurance-support organization” means:

1. Any person who regularly engages, in whole or in part, in the business of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including either of the following:
   1. The furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction.
   2. The collection of personal information from insurance institutions, agents, or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation or material nondisclosure in connection with insurance underwriting or insurance claim activity.
2. Notwithstanding paragraph (1), the following persons shall not be considered “insurance-support organizations”: agents, governmental institutions, insurance institutions, medical care institutions, medical professionals, and peer review committees.

All insurers, insurance producers, and insurance support organizations must provide the Insurance Commissioner with any notices or information submitted to the California Attorney General’s Office in accordance with the California Data Breach Notification Statute (Cal. Civ. Code § 1798.82(f)). This notice must also include sample copies, excluding personal information, of any security breach notices provided to consumers.

Consumers must be notified of a security incident impacting their personal information in accordance with the requirements provided in the California Data Breach Notification Statute (Cal. Civ. Code § 1798.82).

Notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.