Delaware Insurance Data Security Act, 18 Del. Code. Chapter 86, and Delaware Department of Insurance Universally Applicable Bulletin No. 5 |
Subject Entities | A person who is licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered, under the insurance laws of Delaware (collectively referred to as a “licensee”). Licensees do not include (1) a purchasing group or risk retention group that is chartered or licensed in a state other than Delaware, and (2) a licensee that is acting as an assuming insurer that is domiciled in a state other than Delaware or another jurisdiction. |
Security Standard under the Insurance Data Security Law | Licensees are required to:
|
Type of Data Covered | Electronic information that is not publicly available information. |
Definitions |
“Consumer” means an individual, including an applicant, policyholder, insured, beneficiary, claimant, and certificate holder, who is a Delaware resident and whose nonpublic information is in a licensee’s possession, control, or custody.
“Cybersecurity event” means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system. A cybersecurity event does not include either of the following:
“Nonpublic Information” means electronic information that is not publicly-available information and is at least 1 of the following:
“Publicly-available information” means information that a licensee has a reasonable basis to believe is lawfully made to the general public, including any of the following:
For purposes of this definition, “reasonable basis to believe that information is lawfully made available to the general public” means a licensee has taken steps and determined all of the following:
|
Methods of Compliance |
Implementation of an Information Security Program
Objectives of Information Security Program
Risk Assessment
Risk Management
Oversight
Incident Response Plan
The IRP must address all of the following areas:
Investigation of a Cybersecurity Event
|
Government Notice Requirements |
Notification to the Insurance Commissioner Licensees must notify the Insurance Commissioner as promptly as possible, but in no event later than 3 business days from the determination that a cybersecurity event has occurred if either of the following criteria are met:
Notification to the Insurance Commissioner should be submitted to the Insurance Commissioner’s dedicated email box: doidatasecurity@delaware.gov. The licensee must provide continuing updates and supplement the initial and subsequent notifications to the Insurance Commissioner. Notice to the Insurance Commissioner should include the following information:
|
Consumer Notice Requirements |
If a licensee determines that a cybersecurity event having a reasonable likelihood of materially harming a consumer has occurred and the event is one the licensee is required to notify the Insurance Commissioner, the licensee must provide notice of the event to the affected consumers. All impacted consumers must be notified of a cybersecurity event without unreasonable delay, but no later than 60 days after determining that a cybersecurity event occurred, unless any of the following apply:
If a cybersecurity event includes a Social Security number, a licensee must offer to each consumer whose nonpublic information was breached or is reasonably believed to have been breached, free credit monitoring services for 1 year to impacted consumers. If a cybersecurity event involves a breach of email account login credentials that the licensee provided to the consumer, the licensee may not provide notice via the involved email address. |
Government Reporting |
Annual Certification to the Department of Insurance An insurer domiciled in Delaware who is subject to the Act must annually submit the following to the Insurance Commissioner at doidatasecurity@delaware.gov:
This annual certification must be provided to the Insurance Commissioner no later than February 15th. |
Notice Regarding Cybersecurity Event of Third-Party Service Providers |
|
Notice Regarding cybersecurity events of reinsurers to insurers |
|
Notice Regarding Cybersecurity Events of Insurers to Producers of Record |
If a cybersecurity event for which consumer notice is required involves nonpublic information in the possession, custody, or control of a licensee who is an insurer, or a licensee’s third-party service provider and for which a consumer accessed the insurer’s services through an independent insurance producer, the licensee must notify the producers of record of the consumer who was affected by the cybersecurity event in a reasonable manner and at a time reasonably concurrent with the time the notice is provided to the affected consumer. The insurer is excused from this obligation for a producer who is not authorized by law or contract to sell, solicit, or negotiate on behalf of the insurer, and in an instance in which the insurer does not have the current producer of record information for the consumer. |
Last updated: January 2024