2018 -- H 7789 | |
======== | |
LC004917 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2018 | |
____________ | |
A N A C T | |
RELATING TO INSURANCE - INSURANCE DATA SECURITY ACT | |
| |
Introduced By: Representatives Kennedy, O`Grady, Edwards, Marshall, and Azzinaro | |
Date Introduced: February 28, 2018 | |
Referred To: House Corporations | |
(Dept. of Business Regulation) | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Title 27 of the General Laws entitled "INSURANCE" is hereby amended |
2 | by adding thereto the following chapter: |
3 | CHAPTER 1.3 |
4 | INSURANCE DATA SECURITY ACT |
5 | 27-1.3-1. Title. |
6 | This chapter shall be known and may be cited as the "Insurance Data Security Act." |
7 | 27-1.3-2. Purpose and intent. |
8 | (a) The purpose and intent of this chapter is to establish standards for data security and |
9 | standards for the investigation of and notification to the commissioner of a cybersecurity event |
10 | applicable to licensees, as defined in § 27-1.3-3. |
11 | (b) The insurance data security act may not be construed to create or imply a private |
12 | cause of action for violation of its provisions nor may it be construed to curtail a private cause of |
13 | action which would otherwise exist in the absence of this chapter. |
14 | 27-1.3-3. Definitions. |
15 | As used in this chapter, the following terms shall have the following meanings: |
16 | (1) "Authorized individual" means an individual known to and screened by the licensee |
17 | and determined to be necessary and appropriate to have access to the nonpublic information held |
18 | by the licensee and its information systems. |
19 | (2) "Commissioner" means the director of the department of business regulation or the |
| |
1 | chief insurance regulatory official of the state. |
2 | (3) "Consumer" means an individual, including, but not limited to applicants, |
3 | policyholders, insureds, beneficiaries, claimants, and certificate holders who is a resident of this |
4 | state and whose nonpublic information is in a licensee's possession, custody or control. |
5 | (4) "Cybersecurity event" means an event resulting in unauthorized access to, disruption |
6 | or misuse of, an information system or information stored on such information system. The term |
7 | "cybersecurity event" shall not include the unauthorized acquisition of encrypted nonpublic |
8 | information if the encryption, process or key is not also acquired, released or used without |
9 | authorization, nor an event with regard to which the licensee has determined that the nonpublic |
10 | information accessed by an unauthorized person has not been used or released, and has been |
11 | returned or destroyed. |
12 | (5) "Department" means the department of business regulation, division of insurance. |
13 | (6) "Encrypted" means the transformation of data into a form which results in a low |
14 | probability of assigning meaning without the use of a protective process or key. |
15 | (7) "Information security program" means the administrative, technical, and physical |
16 | safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, |
17 | dispose of, or otherwise handle nonpublic information. |
18 | (8) "Information system" means a discrete set of electronic information resources |
19 | organized for the collection, processing, maintenance, use, sharing, dissemination or disposition |
20 | of electronic information, as well as any specialized system such as industrial/process controls |
21 | systems, telephone switching and private branch exchange systems, and environmental control |
22 | systems. |
23 | (9) "Licensee" means any person licensed, authorized to operate, or registered, or |
24 | required to be licensed, authorized, or registered pursuant to the insurance laws of this state but |
25 | shall not include a purchasing group or a risk retention group chartered and licensed in a state |
26 | other than this state or a licensee that is acting as an assuming insurer that is domiciled in another |
27 | state or jurisdiction. |
28 | (10) "Multi-factor authentication" means authentication through verification of at least |
29 | two (2) of the following types of authentication factors: |
30 | (i) Knowledge factors, such as a password; or |
31 | (ii) Possession factors, such as a token or text message on a mobile phone; or |
32 | (iii) Inherence factors, such as a biometric characteristic. |
33 | (11) "Nonpublic information" means information that is not publicly available |
34 | information and is: |
| LC004917 - Page 2 of 14 |
1 | (i) Business related information of a licensee the tampering with which, or unauthorized |
2 | disclosure, access or use of which, would cause a material adverse impact to the business, |
3 | operations or security of the licensee; |
4 | (ii) Any information concerning a consumer which because of name, number, personal |
5 | mark, or other identifier can be used to identify such consumer, in combination with any one or |
6 | more of the following data elements: |
7 | (A) Social Security number; |
8 | (B) Driver's license number or non-driver identification card number; |
9 | (C) Account number, credit or debit card number; |
10 | (D) Any security code, access code or password that would permit access to a consumer's |
11 | financial account; or |
12 | (E) Biometric records; |
13 | (iii) Any information or data, except age or gender, in any form or medium created by or |
14 | derived from a health care provider or a consumer and that relates to: |
15 | (A) The past, present or future physical, mental or behavioral health or condition of any |
16 | consumer or a member of the consumer's family; |
17 | (B) The provision of health care to any consumer; or |
18 | (C) Payment for the provision of health care to any consumer. |
19 | (12) "Person" means any individual or any non-governmental entity, including, but not |
20 | limited to, any non-governmental partnership, corporation, branch, agency or association. |
21 | (13) "Publicly available information" means any information that a licensee has a |
22 | reasonable basis to believe is lawfully made available to the general public from: federal, state or |
23 | local government records; widely distributed media; or disclosures to the general public that are |
24 | required to be made by federal, state or local law. For the purposes of this section, a licensee has a |
25 | reasonable basis to believe that information is lawfully made available to the general public if the |
26 | licensee has taken steps to determine: |
27 | (i) That the information is of the type that is available to the general public; and |
28 | (ii) Whether a consumer can direct that the information not be made available to the |
29 | general public and, if so, that such consumer has not done so. |
30 | (14) "Risk assessment" means the risk assessment that each licensee is required to |
31 | conduct under § 27-1.3-4(c). |
32 | (15) "State" means the state of Rhode Island. |
33 | (16) "Third-party service provider" means a person, not otherwise defined as a licensee, |
34 | that contracts with a licensee to maintain, process, store or otherwise is permitted access to |
| LC004917 - Page 3 of 14 |
1 | nonpublic information through its provision of services to the licensee. |
2 | 27-1.3-4. Information security program. |
3 | (a) Implementation of an information security program. Commensurate with the size and |
4 | complexity of the licensee, the nature and scope of the licensee's activities, including its use of |
5 | third-party service providers, and the sensitivity of the nonpublic information used by the licensee |
6 | or in the licensee's possession, custody or control, each licensee shall develop, implement, and |
7 | maintain a comprehensive written information security program based on the licensee's risk |
8 | assessment and that contains administrative, technical, and physical safeguards for the protection |
9 | of nonpublic information and the licensee's information system. |
10 | (b) Objectives of information security program. A licensee's information security |
11 | program shall be designed to: |
12 | (1) Protect the security and confidentiality of nonpublic information and the security of |
13 | the information system; |
14 | (2) Protect against any threats or hazards to the security or integrity of nonpublic |
15 | information and the information system; |
16 | (3) Protect against unauthorized access to or use of nonpublic information, and minimize |
17 | the likelihood of harm to any consumer; and |
18 | (4) Define and periodically reevaluate a schedule for retention of nonpublic information |
19 | and a mechanism for its destruction when no longer needed. |
20 | (c) Risk assessment. The licensee shall: |
21 | (1) Designate one or more employees, an affiliate, or an outside vendor designated to act |
22 | on behalf of the licensee who is responsible for the information security program; |
23 | (2) Identify reasonably foreseeable internal or external threats that could result in |
24 | unauthorized access, transmission, disclosure, misuse, alteration or destruction of nonpublic |
25 | information, including the security of information systems and nonpublic information that are |
26 | accessible to, or held by, third-party service providers; |
27 | (3) Assess the likelihood and potential damage of these threats, taking into consideration |
28 | the sensitivity of the nonpublic information; |
29 | (4) Assess the sufficiency of policies, procedures, information systems and other |
30 | safeguards in place to manage these threats, including consideration of threats in each relevant |
31 | area of the licensee's operations, including: |
32 | (i) Employee training and management; |
33 | (ii) Information systems, including network and software design, as well as information |
34 | classification, governance, processing, storage, transmission, and disposal; and |
| LC004917 - Page 4 of 14 |
1 | (iii) Detecting, preventing, and responding to attacks, intrusions, or other systems |
2 | failures; and |
3 | (5) Implement information safeguards to manage the threats identified in its ongoing |
4 | assessment, and no less than annually, assess the effectiveness of the safeguards' key controls, |
5 | systems, and procedures. |
6 | (d) Risk management. Based on its risk assessment, the licensee shall: |
7 | (1) Design its information security program to mitigate the identified risks, |
8 | commensurate with the size and complexity of the licensee's activities, including its use of third- |
9 | party service providers, and the sensitivity of the nonpublic information used by the licensee or in |
10 | the licensee's possession, custody or control. |
11 | (2) Determine which security measures listed below are appropriate, and implement such |
12 | security measures: |
13 | (i) Place access controls on information systems, including controls to authenticate and |
14 | permit access only to authorized individuals to protect against the unauthorized acquisition of |
15 | nonpublic information; |
16 | (ii) Identify and manage the data, personnel, devices, systems, and facilities that enable |
17 | the organization to achieve business purposes in accordance with their relative importance to |
18 | business objectives and the organization's risk strategy; |
19 | (iii) Restrict access at physical locations containing nonpublic information, only to |
20 | authorized individuals; |
21 | (iv) Protect by encryption or other appropriate means, all nonpublic information while |
22 | being transmitted over an external network and all nonpublic information stored on a laptop |
23 | computer or other portable computing or storage device or media; |
24 | (v) Adopt secure development practices for in-house developed applications utilized by |
25 | the licensee and procedures for evaluating, assessing or testing the security of externally |
26 | developed applications utilized by the licensee; |
27 | (vi) Modify the information system in accordance with the licensee's information security |
28 | program; |
29 | (vii) Utilize effective controls, which may include multi-factor authentication procedures |
30 | for any individual accessing nonpublic information; |
31 | (viii) Regularly test and monitor systems and procedures to detect actual and attempted |
32 | attacks on, or intrusions into, information systems; |
33 | (ix) Include audit trails within the information security program designed to detect and |
34 | respond to cybersecurity events and designed to reconstruct material financial transactions |
| LC004917 - Page 5 of 14 |
1 | sufficient to support normal operations and obligations of the licensee; |
2 | (x) Implement measures to protect against destruction, loss, or damage of nonpublic |
3 | information due to environmental hazards, such as fire and water damage or other catastrophes or |
4 | technological failures; and |
5 | (xi) Develop, implement, and maintain procedures for the secure disposal of nonpublic |
6 | information in any format. |
7 | (3) Include cybersecurity risks in the licensee's enterprise risk management process. |
8 | (4) Stay informed regarding emerging threats or vulnerabilities and utilize reasonable |
9 | security measures when sharing information relative to the character of the sharing and the type |
10 | of information shared; and |
11 | (5) Provide its personnel with cybersecurity awareness training that is updated as |
12 | necessary to reflect risks identified by the licensee in the risk assessment. |
13 | (e) Oversight by board of directors. If the licensee has a board of directors, the board or |
14 | an appropriate committee of the board shall, at a minimum: |
15 | (1) Require the licensee's executive management or its delegates to develop, implement, |
16 | and maintain the licensee's information security program; |
17 | (2) Require the licensee's executive management or its delegates to report in writing at |
18 | least annually, the following information: |
19 | (i) The overall status of the information security program and the licensee's compliance |
20 | with this chapter; and |
21 | (ii) Material matters related to the information security program, addressing issues such |
22 | as risk assessment, risk management and control decisions, third-party service provider |
23 | arrangements, results of testing, cybersecurity events or violations and management's responses |
24 | thereto, and recommendations for changes in the information security program. |
25 | (3) If executive management delegates any of its responsibilities under § 27-1.3-4, it shall |
26 | oversee the development, implementation and maintenance of the licensee's information security |
27 | program prepared by the delegate(s) and shall receive a report from the delegate(s) complying |
28 | with the requirements of the report to the board of directors above. |
29 | (f) Oversight of third-party service provider arrangements: |
30 | (1) A licensee shall exercise due diligence in selecting its third-party service provider; |
31 | and |
32 | (2) A licensee shall require a third-party service provider to implement appropriate |
33 | administrative, technical, and physical measures to protect and secure the information systems |
34 | and nonpublic information that are accessible to, or held by, the third-party service provider. |
| LC004917 - Page 6 of 14 |
1 | (g) Program adjustments. The licensee shall monitor, evaluate and adjust, as appropriate, |
2 | the information security program consistent with any relevant changes in technology, the |
3 | sensitivity of its nonpublic information, internal or external threats to information, and the |
4 | licensee's own changing business arrangements, such as mergers and acquisitions, alliances and |
5 | joint ventures, outsourcing arrangements and changes to information systems. |
6 | (h) Incident response plan: |
7 | (1) As part of its information security program, each licensee shall establish a written |
8 | incident response plan designed to promptly respond to, and recover from, any cybersecurity |
9 | event that compromises the confidentiality, integrity or availability of nonpublic information in |
10 | its possession, the licensee's information systems, or the continuing functionality of any aspect of |
11 | the licensee's business or operations; |
12 | (2) Such incident response plan shall address the following areas: |
13 | (i) The internal process for responding to a cybersecurity event; |
14 | (ii) The goals of the incident response plan; |
15 | (iii) The definition of clear roles, responsibilities and levels of decision-making authority; |
16 | (iv) External and internal communications and information sharing; |
17 | (v) Identification of requirements for the remediation of any identified weaknesses in |
18 | information systems and associated controls; |
19 | (vi) Documentation and reporting regarding cybersecurity events and related incident |
20 | response activities; and |
21 | (vii) The evaluation and revision as necessary of the incident response plan following a |
22 | cybersecurity event. |
23 | (i) Annual certification to commissioner of a domiciliary state. Annually, each insurer |
24 | domiciled in this state shall submit to the commissioner, a written statement by February 15, |
25 | certifying that the insurer is in compliance with the requirements set forth in § 27-1.3-4. Each |
26 | insurer shall maintain for examination by the department all records, schedules and data |
27 | supporting this certificate for a period of five (5) years. To the extent an insurer has identified |
28 | areas, systems or processes that require material improvement, updating or redesign, the insurer |
29 | shall document the identification and the remedial efforts planned and underway to address such |
30 | areas, systems or processes. Such documentation must be available for inspection by the |
31 | commissioner. |
32 | 27-1.3-5. Investigation of a cybersecurity event. |
33 | (a) If the licensee learns that a cybersecurity event has or may have occurred, the |
34 | licensee, or an outside vendor and/or service provider designated to act on behalf of the licensee, |
| LC004917 - Page 7 of 14 |
1 | shall conduct a prompt investigation. |
2 | (b) During the investigation, the licensee, or an outside vendor and/or service provider |
3 | designated to act on behalf of the licensee, shall, at a minimum determine as much of the |
4 | following information as possible: |
5 | (1) Determine whether a cybersecurity event has occurred; |
6 | (2) Assess the nature and scope of the cybersecurity event; |
7 | (3) Identify any nonpublic information that may have been involved in the cybersecurity |
8 | event; and |
9 | (4) Perform or oversee reasonable measures to restore the security of the information |
10 | systems compromised in the cybersecurity event in order to prevent further unauthorized |
11 | acquisition, release or use of nonpublic information in the licensee's possession, custody or |
12 | control. |
13 | (c) If the licensee learns that a cybersecurity event has or may have occurred in a system |
14 | maintained by a third-party service provider, the licensee will complete the steps listed in |
15 | subsection (b) of this section, or confirm and document that the third-party service provider has |
16 | completed those steps. |
17 | (d) The licensee shall maintain records concerning all cybersecurity events for a period of |
18 | at least five (5) years from the date of the cybersecurity event and shall produce those records |
19 | upon demand of the commissioner. |
20 | 27-1.3-6. Notification of a cybersecurity event. |
21 | (a) Notification to the commissioner. Each licensee shall notify the commissioner as |
22 | promptly as possible but, in no event later than seventy-two (72) hours from a determination that |
23 | a cybersecurity event has occurred when either of the following criteria has been met: |
24 | (1) This state is the licensee's state of domicile, in the case of an insurer, or this state is |
25 | the licensee's home state, in the case of a producer, as those terms are defined in § 27-2.4-2; or |
26 | (2) The licensee reasonably believes that the nonpublic information involved is of two |
27 | hundred fifty (250) or more consumers residing in this state and that is either of the following: |
28 | (i) A cybersecurity event impacting the licensee of which notice is required to be |
29 | provided to any government body, self-regulatory agency or any other supervisory body pursuant |
30 | to any state or federal law; or |
31 | (ii) A cybersecurity event that has a reasonable likelihood of materially harming: |
32 | (A) Any consumer residing in this state; or |
33 | (B) Any material part of the normal operation(s) of the licensee. |
34 | (b) The licensee shall provide as much of the following information as possible. The |
| LC004917 - Page 8 of 14 |
1 | licensee shall provide the information in electronic form as directed by the commissioner. The |
2 | licensee shall have a continuing obligation to update and supplement initial and subsequent |
3 | notifications to the commissioner concerning the cybersecurity event, including, but not limited |
4 | to: |
5 | (1) Date of the cybersecurity event; |
6 | (2) Description of how the information was exposed, lost, stolen, or breached, including |
7 | the specific roles and responsibilities of third-party service providers, if any; |
8 | (3) How the cybersecurity event was discovered; |
9 | (4) Whether any lost, stolen, or breached information has been recovered and if so, how |
10 | this was done; |
11 | (5) The identity of the source of the cybersecurity event; |
12 | (6) Whether the licensee has filed a police report or has notified any regulatory, |
13 | government or law enforcement agencies and, if so, when such notification was provided; |
14 | (7) Description of the specific types of information acquired without authorization. |
15 | Specific types of information means particular data elements including, for example, types of |
16 | medical information, types of financial information or types of information allowing |
17 | identification of the consumer; |
18 | (8) The period during which the information system was compromised by the |
19 | cybersecurity event; |
20 | (9) The number of total consumers in this state affected by the cybersecurity event. The |
21 | licensee shall provide the best estimate in the initial report to the commissioner and update this |
22 | estimate with each subsequent report to the commissioner pursuant to this section; |
23 | (10) The results of any internal review identifying a lapse in either automated controls or |
24 | internal procedures, or confirming that all automated controls or internal procedures were |
25 | followed; |
26 | (11) Description of efforts being undertaken to remediate the situation which permitted |
27 | the cybersecurity event to occur; |
28 | (12) A copy of the licensee's privacy policy and a statement outlining the steps the |
29 | licensee will take to investigate and notify consumers affected by the cybersecurity event; and |
30 | (13) Name of a contact person who is both familiar with the cybersecurity event and |
31 | authorized to act for the licensee. |
32 | (c) Notification to consumers. The licensee shall comply with chapter 49.3 of title 11, as |
33 | applicable, and provide a copy of the notice sent to consumers under that statute to the |
34 | commissioner, when a licensee is required to notify the commissioner under subsection (a) of this |
| LC004917 - Page 9 of 14 |
1 | section. |
2 | (d) Notice regarding cybersecurity events of third-party service providers: |
3 | (1) In the case of a cybersecurity event in a system maintained by a third-party service |
4 | provider, of which the licensee has become aware, the licensee shall treat such event as it would |
5 | under subsection (a) of this section. |
6 | (2) The computation of licensee's deadlines shall begin on the day after the third-party |
7 | service provider notifies the licensee of the cybersecurity event or the licensee otherwise has |
8 | actual knowledge of the cybersecurity event, whichever is sooner. |
9 | (3) Nothing in this chapter shall prevent or abrogate an agreement between a licensee and |
10 | another licensee, a third-party service provider or any other party to fulfill any of the investigation |
11 | requirements imposed under § 27-1.3-5 or notice requirements imposed under this section. |
12 | (e) Notice regarding cybersecurity events of reinsurers to insurers: |
13 | (1)(i) In the case of a cybersecurity event involving nonpublic information that is used by |
14 | the licensee that is acting as an assuming insurer or in the possession, custody or control of a |
15 | licensee that is acting as an assuming insurer and that does not have a direct contractual |
16 | relationship with the affected consumers, the assuming insurer shall notify its affected ceding |
17 | insurers and the commissioner of its state of domicile within seventy-two (72) hours of making |
18 | the determination that a cybersecurity event has occurred. |
19 | (ii) The ceding insurers that have a direct contractual relationship with affected |
20 | consumers shall fulfill the consumer notification requirements imposed under chapter 49.3 of title |
21 | 11, and any other notification requirements relating to a cybersecurity event imposed under this |
22 | section. |
23 | (2)(i) In the case of a cybersecurity event involving nonpublic information that is in the |
24 | possession, custody or control of a third-party service provider of a licensee that is an assuming |
25 | insurer, the assuming insurer shall notify its affected ceding insurers and the commissioner of its |
26 | state of domicile within seventy-two (72) hours of receiving notice from its third-party service |
27 | provider that a cybersecurity event has occurred. |
28 | (ii) The ceding insurers that have a direct contractual relationship with affected |
29 | consumers shall fulfill the consumer notification requirements imposed under chapter 49.3 of title |
30 | 11, and any other notification requirements relating to a cybersecurity event imposed under this |
31 | section. |
32 | (f) Notice regarding cybersecurity events of insurers to producers of record. |
33 | In the event of a cybersecurity event involving nonpublic information that is in the |
34 | possession, custody or control of a licensee that is an insurer, or its third-party service provider, |
| LC004917 - Page 10 of 14 |
1 | and for which a consumer accessed the insurer's services through an independent insurance |
2 | producer, the insurer shall notify the producers of record of all affected consumers as soon as |
3 | practicable as directed by the commissioner. |
4 | The insurer shall be excused from this obligation for those instances in which it does not |
5 | have the current producer of record information for any individual consumer. |
6 | 27-1.3-7. Power of commissioner. |
7 | (a) The commissioner shall have power to examine and investigate into the affairs of any |
8 | licensee to determine whether the licensee has been or is engaged in any conduct in violation of |
9 | this chapter. This power is in addition to the powers which the commissioner has pursuant to |
10 | chapter 13.1 of title 27. Any such investigation or examination shall be conducted pursuant to |
11 | chapter 13.1 of title 27. |
12 | (b) Whenever the commissioner has reason to believe that a licensee has been or is |
13 | engaged in conduct in this state which violates this chapter, the commissioner may take action |
14 | that is necessary or appropriate to enforce the provisions of this chapter. |
15 | 27-1.3-8. Confidentiality. |
16 | (a) Any documents, materials or other information in the control or possession of the |
17 | department that are furnished by a licensee or an employee or agent thereof acting on behalf of |
18 | licensee pursuant to §§ 27-1.3-4(i), 27-1.3-6(b)(2), 27-1.3-6(b)(3), 27-1.3-6(b)(4), 27-1.3-6(b)(5), |
19 | 27-1.3-6(b)(8), 27-1.3-6(b)(10), and 27-1.3-6(b)(11), or that are obtained by the commissioner in |
20 | an investigation or examination pursuant to § 27-1.3-7, shall be confidential by law and |
21 | privileged, shall not be subject to chapter 2 of title 38, shall not be subject to subpoena, and shall |
22 | not be subject to discovery or admissible in evidence in any private civil action; provided, |
23 | however, the commissioner is authorized to use the documents, materials or other information in |
24 | the furtherance of any regulatory or legal action brought as a part of the commissioner's duties. |
25 | (b) Neither the commissioner nor any person who received documents, materials or other |
26 | information while acting under the authority of the commissioner shall be permitted or required to |
27 | testify in any private civil action concerning any confidential documents, materials, or |
28 | information subject to subsection (a) of this section. |
29 | (c) In order to assist in the performance of the commissioner's duties under this chapter, |
30 | the commissioner: |
31 | (1) May share documents, materials or other information, including the confidential and |
32 | privileged documents, materials or information subject to subsection (a) of this section, with other |
33 | state, federal, and international regulatory agencies, with the National Association of Insurance |
34 | Commissioners, its affiliates or subsidiaries, and with state, federal, and international law |
| LC004917 - Page 11 of 14 |
1 | enforcement authorities, provided that the recipient agrees in writing to maintain the |
2 | confidentiality and privileged status of the document, material or other information; |
3 | (2) May receive documents, materials or information, including otherwise confidential |
4 | and privileged documents, materials or information, from the National Association of Insurance |
5 | Commissioners, its affiliates or subsidiaries and from regulatory and law enforcement officials of |
6 | other foreign or domestic jurisdictions, and shall maintain as confidential or privileged any |
7 | document, material or information received with notice or the understanding that it is confidential |
8 | or privileged under the laws of the jurisdiction that is the source of the document, material or |
9 | information; and |
10 | (3) May share documents, materials or other information subject to subsection (a) of this |
11 | section, with a third-party consultant or vendor provided the consultant agrees in writing to |
12 | maintain the confidentiality and privileged status of the document, material or other information; |
13 | and |
14 | (4) May enter into agreements governing sharing and use of information consistent with |
15 | this subsection. |
16 | (d) No waiver of any applicable privilege or claim of confidentiality in the documents, |
17 | materials, or information shall occur as a result of disclosure to the commissioner under this |
18 | section or as a result of sharing as authorized in subsection (c) of this section. |
19 | (e) Nothing in this chapter shall prohibit the commissioner from releasing final, |
20 | adjudicated actions that are open to public inspection pursuant to chapter 2 of title 38 to a |
21 | database or other clearinghouse service maintained by the National Association of Insurance |
22 | Commissioners, its affiliates or subsidiaries. |
23 | 27-1.3-9. Exceptions. |
24 | (a) The following exceptions shall apply to this chapter: |
25 | (1) A licensee with fewer than ten (10) employees, including any independent |
26 | contractors, is exempt from the provisions of § 27-1.3-4; |
27 | (2) A licensee subject to Pub. L. 104–191, 110 Stat. 1936, enacted August 21, 1996 |
28 | (Health Insurance Portability and Accountability Act) that has established and maintains an |
29 | information security program pursuant to such statutes, rules, regulations, procedures or |
30 | guidelines established thereunder, will be considered to meet the requirements of § 27-1.3-4; |
31 | provided, that, licensee is compliant with, and submits a written statement certifying its |
32 | compliance with, the same; |
33 | (3) An employee, agent, representative or designee of a licensee, who is also a licensee, is |
34 | exempt from § 27-1.3-4 and need not develop its own information security program to the extent |
| LC004917 - Page 12 of 14 |
1 | that the employee, agent, representative or designee is covered by the information security |
2 | program of the other licensee. |
3 | (b) In the event that a licensee ceases to qualify for an exception, such licensee shall have |
4 | one hundred eighty (180) days to comply with this chapter. |
5 | 27-1.3-10. Penalties. |
6 | In the case of a violation of this chapter, a licensee may be penalized in accordance with |
7 | the administrative penalties contained in § 42-14-16. |
8 | 27-1.3-11. Severability. |
9 | If any provision of this chapter or the application thereof to any person or circumstance is |
10 | for any reason held to be invalid, the remainder of the chapter and the application of such |
11 | provision to other persons or circumstances shall not be affected thereby. |
12 | SECTION 2. This act shall take effect upon passage. |
======== | |
LC004917 | |
======== | |
| LC004917 - Page 13 of 14 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO INSURANCE - INSURANCE DATA SECURITY ACT | |
*** | |
1 | This act would create the "Insurance Data Security Act" which would adopt the National |
2 | Association of Insurance Commissioners Model Act regarding data security. |
3 | This act would take effect upon passage. |
======== | |
LC004917 | |
======== | |
| LC004917 - Page 14 of 14 |