On July 31, 2019, Delaware Governor John C. Carney, Jr. signed the Insurance Data Security Act (“IDSA”) into law. The IDSA establishes a comprehensive regulatory framework requiring insurers licensed to do business in Delaware to: i) implement information security programs and risk assessments; ii) investigate whether a cyber security event or data breach occurred and whose data may have been compromised; iii) notify the Delaware Insurance Commissioner within three (3) business days of determining that a cyber security event or data breach occurred; iv) notify all impacted consumers within sixty (60) days of the determination that a cyber security event or data breach has occurred, and data has been or may have been compromised; and v) offer one (1) year of credit monitoring services to impacted customers. Lastly, the IDSA grants the Delaware Insurance Commissioner with the power to investigate any insurer to determine whether it has engaged in conduct that might violate the IDSA, and to take remedial action.

The Delaware’s Insurance Data Security Act is based on the National Association of Insurance Commissioners (“NAIC”) Model Law. Since NAIC’s promulgation of the Model Law in October of 2017, several other states have adopted similar laws and regulations including South Carolina, Michigan, Ohio, and New York. We expect this trend to continue and foresee states continuing to adopt the NAIC Model Law.

Amidst the rising incidence of cyberattacks and growing number of high profile data breaches, regulators have stepped up their scrutiny of information security programs. As the trend continues, insurance companies should confirm that their information security and data privacy programs are compliant.

A copy of Delaware’s IDSA can be found here.