Subject Entities |
Applies to licensed insurers or producers, other persons licensed or required to be licensed, authorized, or registered, or holding a certificate of authority under state Insurance Code of 1956. |
Security Standard |
Licensees must maintain a comprehensive written information security program that contains administrative, physical, and technical safeguards for the protection of nonpublic information, commensurate with:
|
Types of Data Covered |
Electronic; Paper and other non-electronic data also included when nonpublic information concerns medical or health information. |
Definitions |
“Consumer” means a resident whose nonpublic information is in the subject entity’s possession, custody, or control. “Cybersecurity event” means an event resulting in unauthorized access to or the disruption or misuse of an information system or nonpublic information stored on an information system. “Encrypted” means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key. “Nonpublic Information” means electronic information not publicly available and:
|
Methods of Compliance |
Comprehensive information security program requirements:
Risk Assessment Requirements: A subject entity must conduct a risk assessment pursuant to the statute. Based on the results of its risk assessment, a subject entity must:
Statute imposes additional requirements and oversight obligations on a subject entity’s board of directors (where applicable). An incident response plan must include:
|
Government Notice |
A subject licensee must annually submit (no later than February 15) to the Director of Insurance and Financial Services a written statement certifying compliance with the statute. Must maintain all documents supporting the certification for five (5) years and make available for inspection by the Director. |
Enforcement |
Statute does not create a private right of action. |
Last updated: January 2024