On Wednesday, July 31, 2019, Governor John C. Carney, Jr., signed House Bill 174 (“HB 174”) into law. Titled the Delaware Insurance Data Security Act, this law is based on an NAIC Model Act, which establishes a comprehensive regulatory framework requiring insurers licensed to do business in Delaware to implement information security programs, report instances of data breaches in a prescribed timely manner to the Commissioner and consumers, and empowers the Department of Insurance to investigate violations of the Act and levy penalties accordingly.
HB 174’s prime sponsors were Representative William Bush, Chair of the House Economic Development, Banking, Insurance & Commerce Committee, and Senator Trey Paradee, also of Dover, and Chair of the Senate Business, Banking & Insurance Committee. Additional sponsors include a bipartisan roster of Representative Krista Griffith, Chair of the House Telecommunication, Internet & Technology Committee, Senate Majority Leader Nicole Poore, Senators Brian Pettyjohn and David Sokola, and Representatives Paul Baumbach, Sherry Dorsey Walker, Timothy Dukes, Sean Matthews, Ray Seigfried, and Michael Smith.
Regarding Governor Carney’s signing of the bill into law, Delaware Insurance Commissioner Trinidad Navarro remarked on how the Act will enhance consumer protection in Delaware.
“When hardworking consumers entrust their personal information to their insurance companies, they have a reasonable expectation that their carriers will do everything they can to safeguard that information,” stated Navarro. “Over the past several years, we have seen time and again consumers’ information be compromised or stolen by hackers’ cyber threats to insurers. By codifying a regulatory standard that requires all insurance licensees in Delaware to implement information security programs and timely report data breaches to the Department and consumers, HB 174 enhances Delaware’s consumer protection measures to hold companies accountable and give consumers the peace of mind that they deserve. I thank Governor Carney and the General Assembly for recognizing the importance of this legislation and enacting it into law.”
Prior to the implementation of this law, there were no standards for insurance companies to follow regarding protection of consumers’ data, and notifying the Department. Historically, when an insurer determined that a data breach had occurred, notification to the Department of Insurance was delayed, sometimes by several months. Notably, this Act accomplishes the following:
- Requires insurance companies to implement information security programs and conduct risk assessments to try to prevent data breaches and compromising of consumers’ Nonpublic Information and personal data;
- Requires insurers to conduct thorough investigations to determine if a cybersecurity event or data breach may have occurred and whose data may have been compromised;
- Notify the Insurance Commissioner within three (3) business days of determining that a data breach or cybersecurity event has occurred;
- Mandates that insurers notify all impacted consumers within sixty (60) days of the determination that their data has or may have been compromised;
- Requires that insurers offer free credit monitoring services for one year to consumers impacted by breaches; and
- Endows the Commissioner with the power to investigate the affairs of any insurer to determine whether they have been engaged in any conduct in violation of this Act and take action accordingly.
“In our fast-paced, technology-driven society, we have to take the necessary steps to put strong consumer protections and data security in place. Data breaches are personal, comprising critical information and forcing an individual to rebuild their entire lives,” said Rep. William Bush, chief sponsor of HB 174. “Instituting a framework with safeguards to protect Delawareans from insurance data breaches is the right thing to do. This comprehensive legislation enhances consumers’ data privacy and protection, with the ultimate goal of giving them peace of mind and security.”
“Insurance companies hold some of the most sensitive information about our residents, but until now had no state-mandated rules to follow for protecting that data or reporting hacks to consumers,” said Sen. Trey Paradee, the bill’s prime Senate sponsor. “While we can’t stop every data breach, we can – and must – do more to ensure that insurance companies are taking steps to protect Delawareans’ private data and notify customers when their information is compromised. Delaware Insurance Commissioner Trinidad Navarro deserves a lot of credit for bringing this matter to our attention and working with us to get this legislation passed.”
Work on enhancing insurance data security began after the Anthem data breach in 2015, in which hackers compromised nearly 80 million individuals’ personal information. Since then, there have been 15 insurance data breaches with Delawareans impacted, the most recent one involving Dominion National, a dental insurance carrier. The number of Delawareans impacted during the breaches during that period of time ranged from one policyholder to over 95,000 policyholders.
HB 174 passed the House on June 13, 2019, with 40 ‘yes’ votes. The bill cleared its final hurdle on June 26, 2019, with the Delaware Senate voting unanimously in favor. Consumers and producers who have questions about the new law are encouraged to contact the Department of Insurance’s Consumer Services Division at (302) 674-7310 or by email.