Delaware Insurance Data Security Law

Delaware Insurance Data Security Act, 18 Del. Code. Chapter 86, and

• Implement information security programs and conduct risk assessments to try to prevent data breaches and compromising of consumers’ nonpublic information and personal data, including oversight of third-party service providers; and
• Conduct thorough investigations to determine if a cybersecurity event may have occurred and whose data may have been compromised.

“Consumer” means an individual, including an applicant, policyholder, insured, beneficiary, claimant, and certificate holder, who is a Delaware resident and whose nonpublic information is in a licensee’s possession, control, or custody.

“Cybersecurity event” means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system.

A cybersecurity event does not include either of the following:

• The unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization.
• An event for which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

“Nonpublic Information” means electronic information that is not publicly-available information and is at least 1 of the following:

• Information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with any 1 or more of the following data elements:
  • Social Security number;
  • Driver’s license number or nondriver identification card number;
  • Financial account number or credit or debit card number;
  • A security code, access code, or password that permits access to a consumer’s financial account; or
  • A biometric record.
• Information, except age or gender, in any form or medium created by or derived from a health-care provider or consumer that can be used to identify a consumer and relates to any of the following:
  • The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of a consumer’s family;
  • The provision of health care to a consumer;
  • Payment for the provision of health care to a consumer.

“Publicly-available information” means information that a licensee has a reasonable basis to believe is lawfully made to the general public, including any of the following:

• A federal, state, or local government record;
• A widely-distributed information source or media; or
• A disclosure to the general public that is required under federal, state, or local law.

For purposes of this definition, “reasonable basis to believe that information is lawfully made available to the general public” means a licensee has taken steps and determined all of the following:

• That the information is of the type that is available to the general public.
• If a consumer can direct that the information may not be made available to the general public, the consumer has not done so.

Implementation of an Information Security Program

1. A licensee must develop, implement, and maintain a comprehensive, written information security program (“WISP”) based on the licensee’s risk assessment and containing administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system.
2. An information security program must be commensurate with the (a) licensee’s size and complexity; (b) the nature and scope of activities, including the licensee’s use of a third-party service provider; and (c) the sensitivity of the nonpublic information that the licensee uses or has in the licensee’s possession, custody, or control.

Objectives of Information Security Program
A licensee’s information security program must be designed to do all of the following:

• Protect the security and confidentiality of nonpublic information and the information system.
• Protect against threats or hazards to the security or integrity of nonpublic information and the information system.
• Protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to a consumer.
• Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when retention of the nonpublic information is no longer needed.

Risk Assessment
A licensee must do all of the following:

• Designate 1 or more employees, an affiliate, or an outside vendor designated to act on the licensee’s behalf and be responsible for managing and overseeing the information security program.
• Identify reasonably-foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information.
• Assess the likelihood and potential damage of a threat, taking into consideration the sensitivity of the nonpublic information.
• Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage a threat, including consideration of threats in each relevant area of the licensee’s operations, including all of the following:
  • Employee training and management.
  • An information system, including network and software design and information classification, governance, processing, storage, transmission, and disposal.
  • Detecting, preventing, and responding to an attack, intrusion, or other system failure.
• Implement information safeguards to manage the threats identified in the licensee’s ongoing assessment and, at least annually, assess the effectiveness of the safeguards’ key controls, systems, and procedures.

Risk Management
Based on a licensee’s risk assessment, the licensee must do the following:

• Design an information security program to mitigate the identified risks, commensurate with:
  • The licensee’s size and complexity.
  • The nature and scope of the licensee’s activities.
  • The sensitivity of the nonpublic information the licensee uses or has in its possession, custody, or control.
• Determine if any of the below security measures are appropriate and implement each appropriate security measure.
  • Place an access control on an information system, including a control to authenticate and permit access only to an authorized individual to protect against the unauthorized acquisition of nonpublic information.
  • Identify and manage the data, personnel, devices, systems, and facilities enabling the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization’s risk strategy.
  • Restrict physical access to nonpublic information to authorized individuals only.
  • Protect by encryption or other means all nonpublic information while the nonpublic information is transmitted over an external network and all nonpublic information stored on a portable computing or storage device or media.
  • Adopt both of the following:
    • Secure development practices for an application that a licensee uses and was developed in-house.
    • Procedures for evaluating, assessing, or testing the security of an application that a licensee uses and was developed externally.
  • Modify the information system in accordance with the licensee’s information security program.
  • Utilize effective controls, such as multi-factor authentication procedures, for employees or authorized individuals accessing nonpublic information.
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions, into an information system.
  • Include audit controls within the information security program designed to do the following:
    • Detect and respond to a cybersecurity event.
    • Reconstruct material financial transactions sufficient to support the licensee’s normal operations and obligations.
  • Implement measures to protect against the destruction, loss, or damage of nonpublic information due to environmental hazards or technological failures.
  • Develop, implement, and maintain procedures for the secure disposal of nonpublic information in any format.
• Include cybersecurity risks in the licensee’s enterprise risk management process.
• Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared.
• Provide the licensee’s personnel with cybersecurity awareness training that is updated as necessary to reflect risks the licensee identified in the licensee’s risk assessment.

Oversight
If a licensee has a board of directors, the board or an appropriate committee of the board must, at a minimum, do the following:

• Require the licensee’s executive management or its delegates to develop, implement, and maintain the licensee’s information security program.
• Require the licensee’s executive management or its delegates to report in writing at least annually the following information:
  • The overall status of the information security program and the licensee’s compliance.
  • Material matters related to the information security program, including addressing issues such as the following:
    • Risk assessment, risk management, and control decisions.
    • Third-party service provider arrangements.
    • Results of testing.
    • Cybersecurity events or violations and management’s responses to the events.
    • Recommendations for changes in the information security program.
• If executive management delegates any of its responsibilities, the following must occur:
  • Executive management must oversee the development, implementation, and maintenance of the licensee’s information security program that the delegate prepares.
  • The delegate must submit to executive management a report complying with the requirements of the report to the board of directors.

Incident Response Plan
As part of a licensee’s information security program, the licensee must establish a written incident response plan (“IRP”) designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of any of the following:

• Nonpublic information in the licensee’s possession.
• The licensee’s information system.
• The continuing functionality of any aspect of the licensee’s business or operations.

The IRP must address all of the following areas:

• The internal process for responding to a cybersecurity event.
• The goals of the IRP.
• The definition of clear roles, responsibilities, and levels of decision-making authority.
• External and internal communications and information sharing.
• Identification of requirements for the remediation of any identified weaknesses in an information system and associated controls.
• Documentation and reporting regarding cybersecurity events and related incident response activities.
• As necessary, the evaluation and revision of the IRP following a cybersecurity event.

Investigation of a Cybersecurity Event

• If a licensee learns that a cybersecurity event has or may have occurred, the licensee, or a third party designated to act the licensee’s behalf, must conduct a prompt investigation.
• During an investigation, the licensee, or a third party designated to act on the licensee’s behalf, shall, at a minimum, do as much of the following as possible:
  • Determine whether a cybersecurity event has occurred.
  • Assess the nature and scope of the cybersecurity event.
  • Identify the nonpublic information that may have been involved in the cybersecurity event.
  • Perform or oversee reasonable measures to restore the security of the information system compromised in the cybersecurity event to prevent further unauthorized acquisition, release, or use of nonpublic information that is in the licensee’s possession, custody, or control.
• If a licensee provides nonpublic information to a third-party service provider and learns that a cybersecurity event has or may have occurred in a system that the third-party service provider maintains, the licensee must complete the steps listed in section (b) or make reasonable efforts to confirm and document that the third-party service provider completed the steps.
• A licensee must maintain records concerning a cybersecurity event for a period of at least 5 years from the date of the cybersecurity event and must produce those records upon the Insurance Commissioner’s demand.

Notification to the Insurance Commissioner

Licensees must notify the Insurance Commissioner as promptly as possible, but in no event later than 3 business days from the determination that a cybersecurity event has occurred if either of the following criteria are met:

• The licensee is an insurer domiciled in Delaware or a producer whose home state is Delaware, and the cybersecurity event results in any of the following:
  • A reasonable likelihood of materially harming a consumer;
  • A reasonable likelihood of materially harming any material part of the licensee’s normal operations; or
  • The licensee is required to provide notice of the cybersecurity event to a government body, self-regulatory agency, or other supervisory body under state or federal law.
• The licensee reasonably believes that the nonpublic information involved involves 250 or more consumers and either of the following apply:
  • The cybersecurity event impacts a licensee that is required to provide notice to a government body, self-regulatory agency, or other supervisory body under state or federal law.
  • The cybersecurity event has a reasonable likelihood of materially harming either:
    • A consumer; or
    • A material part of the licensee’s normal operations.

Notification to the Insurance Commissioner should be submitted to the Insurance Commissioner’s dedicated email box: doidatasecurity@delaware.gov. The licensee must provide continuing updates and supplement the initial and subsequent notifications to the Insurance Commissioner.

Notice to the Insurance Commissioner should include the following information:

• Date of the cybersecurity event.
• Description of how the information was exposed, lost, stolen, or breached.
• How the cybersecurity event was discovered.
• Whether any lost, stolen, or breached information has been recovered and, if so, how it was lost, stolen, or breached.
• The identity of the source of the cybersecurity event.
• Whether the licensee filed a police report or notified a regulatory, government, or law-enforcement agency and, if so, when the notification was provided.
• Description of the specific types of information acquired without authorization. Specifically, the particular data elements, including medical information, financial information, or information allowing identification of a consumer.
• The period that the cybersecurity event compromised the information system.
• The total number Delaware consumers affected by the cybersecurity event. The licensee should provide the best estimate in the initial report to the Commissioner and update the estimate with each subsequent report to the Commissioner under this section.
• The results of an internal review identifying a lapse in either automated controls or internal procedures, or confirming that the automated controls or internal procedures were followed.
• Description of efforts undertaken to remediate the situation that permitted the cybersecurity event to occur.
• A copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take to investigate and notify affected consumers.
• The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

If a licensee determines that a cybersecurity event having a reasonable likelihood of materially harming a consumer has occurred and the event is one the licensee is required to notify the Insurance Commissioner, the licensee must provide notice of the event to the affected consumers.

All impacted consumers must be notified of a cybersecurity event without unreasonable delay, but no later than 60 days after determining that a cybersecurity event occurred, unless any  of the following apply:

• Federal law requires notice within a shorter time period.
• A law enforcement agency determines that the notice will impeded a criminal investigation and has requested that the licensee delay notice.
• If a licensee that is otherwise required to provide notice could not, through reasonable diligence, identify within 60 days of a cybersecurity  event that a customer’s nonpublic information was included in the event

If a cybersecurity event includes a Social Security number, a licensee must offer to each consumer whose nonpublic information was breached or is reasonably believed to have been breached, free credit monitoring services for 1 year to impacted consumers.

Annual Certification to the Department of Insurance

An insurer domiciled in Delaware who is subject to the Act must annually submit the following to the Insurance Commissioner at doidatasecurity@delaware.gov:

• A written statement, certifying that the insurer is in compliance with the requirements of the Act; and
• The affidavit provided in the Bulletin.

This annual certification must be provided to the Insurance Commissioner no later than February 15^th.

1. If a cybersecurity event occurs in a system that a third-party service provider maintains and of which a licensee has become aware, the licensee must treat the event as it would its own cybersecurity event, unless the third-party service provider notifies the Insurance Commissioner.
2. The licensee’s notification deadline clock begins on the first business day after the third-party service provider notifies the licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event.
3. This obligation does not prevent an agreement between a licensee and another licensee, a third-party service provider, or another party to fulfill the investigation or notice requirements.

1. If a cybersecurity event involves nonpublic information used by a licensee who is acting as an assuming insurer, or the nonpublic information is in the possession, custody, or control of a licensee who is acting as an assuming insurer and does not have a direct contractual relationship with the affected consumer, the licensee who is acting as an assuming insurer must notify its affected ceding insurers and the Insurance Commissioner of the licensee who is acting as an assuming insurer’s state of domicile within 3 business days of determining that a cybersecurity event has occurred. A ceding insurer who has a direct contractual relationship with an affected consumer must fulfill the consumer notification requirements and any other notification requirement relating to a cybersecurity event.
2. If a cybersecurity event involves nonpublic information in the possession, custody, or control of a third-party service provider of a licensee acting as an assuming insurer, the licensee acting as an assuming insurer must notify the affected ceding insurer and the Commissioner of the licensee acting as an assuming insurer’s state of domicile within 3 business days of receiving notice from the licensee acting as an assuming insurer’s third-party service provider that a cybersecurity event occurred. A ceding insurer that has a direct contractual relationship with an affected consumer must fulfill the consumer notification requirements and any other notification requirement relating to a cybersecurity event.

If a cybersecurity event for which consumer notice is required involves nonpublic information in the possession, custody, or control of a licensee who is an insurer, or a licensee’s third-party service provider and for which a consumer accessed the insurer’s services through an independent insurance producer, the licensee must notify the producers of record of the consumer who was affected by the cybersecurity event in a reasonable manner and at a time reasonably concurrent with the time the notice is provided to the affected consumer. The insurer is excused from this obligation for a producer who is not authorized by law or contract to sell, solicit, or negotiate on behalf of the insurer, and in an instance in which the insurer does not have the current producer of record information for the consumer.