Pennsylvania Gov. Josh Shapiro signed HB 739, the Pennsylvania Insurance Data Security Act, on June 14 after the bill passed unanimously through the state’s house and senate. Pennsylvania joins 21 states in adopting legislation based on the National Association of Insurance Commissioners (NAIC) model insurance data security law.
Pennsylvania Insurance Commissioner Michael Humphreys applauded the passage of the bill and noted the Pennsylvania Insurance Department (PID) has been preparing to implement this important initiative and has developed various tools that will assist consumers and companies dealing with cyber breaches. Coordination between PID and the industry is imperative in not only helping consumers deal with breaches, but also to prevent them by ensuring that insurers have appropriate measures in place to protect consumers, sensitive financial information, he said.
In a release, Humphreys stated FBI statistics report cybercrime is on the rise. In 2022, Americans reported more than $10.3 billion in losses due to cybercrime, a 49 percent increase from 2021, and the FBI received more than 800,000 reported complaints. Pennsylvania saw more reported victims of cybercrime than Canada, India, Australia, France, and South Africa combined. The insurance industry is a particularly attractive target for cybercriminals due to the volume of personal information insurers maintain.
House Bill 739 requires insurance licensees (companies and individuals), except for certain small businesses, to conduct a risk assessment to identify cyber threats and determine the likelihood and potential damage of these threats. Each licensee also is required to develop a comprehensive information security program to mitigate identified risks and establish an incident response plan to recover from cybersecurity events, ensuring consumer protection in the event of a data breach.
The risk assessment must:
- Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alternation or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers.
- Assess the likelihood and potential damages of threats, taking into consideration the sensitivity of the nonpublic information.
- Assess the sufficiency of policies, procedures, information systems and other safeguards in place to manage threats in each relevant area of the licensee’s operations, including: employee training and management; information systems, including network and software design and information classification, governance, processing, storage, transmission and disposal; and detection, prevention and response to attacks, intrusions or other system failures.
- Implement information safeguards to manage the threats identified in its ongoing assessment.
- At least annually, assess the effectiveness of the safeguards’ key controls, systems and procedures.
Licensees will have to develop, implement and maintain a comprehensive written information security program based on the licensee’s risk assessment that:
- Contains administrative, technical and physical safeguards for the protection of nonpublic information and the licensee’s information systems.
- Is commensurate with the size and complexity of the licensee; the nature and scope of the licensee’s activities; and the sensitivity of the nonpublic information used by the licensee or in the licensee’s possession, custody or control.
- Is designed to protect the security and confidentiality of nonpublic information and the security of the information systems; against any threats or hazards to the security or integrity of nonpublic information and the information systems; against unauthorized access to or use of nonpublic information, and that minimizes the likelihood of harm to a consumer.
- Defines and periodically reevaluates a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.
Licensees will have to designate one or more employees, an affiliate or an outside vendor to act on behalf of the licensee who will be responsible for the information security program of the licensee.
Additionally, the act requires licensees to notify the insurance commissioner within five business days that a cybersecurity event involving nonpublic information has occurred. Prompt notification to PID will allow the department to work with insurers to help mitigate damages and assist consumers.
The new law defines a cybersecurity event as “an event resulting in unauthorized access to, or disruption of or misuse of an information system or nonpublic information stored on the information system.” The term does not include:
- “the unauthorized acquisition of encrypted nonpublic information if the encryption, process or key is not also acquired, released or used without authorization.
- “an event in which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.”