House Bill 174, the Delaware Insurance Data Security Act, was signed into law.
The measure calls for insurers who do business in Delaware to implement information security programs, report instances of data breaches and empowers the Department of Insurance to investigate violations of the act and levy penalties.
The measure had bipartisan co-sponsors.
Delaware Insurance Commissioner Trinidad Navarro remarked:
“When hardworking consumers entrust their personal information to their insurance companies, they have a reasonable expectation that their carriers will do everything they can to safeguard that information. Over the past several years, we have seen time and again consumers’ information be compromised or stolen by hackers’ cyber threats to insurers.
Navarro continued, “By codifying a regulatory standard that requires all insurance licensees in Delaware to implement information security programs and timely report data breaches to the Department and consumers, HB 174 enhances Delaware’s consumer protection measures to hold companies accountable and give consumers the peace of mind that they deserve. I thank Governor Carney and the General Assembly for recognizing the importance of this legislation and enacting it into law.”
Prior to the implementation of this law, there were no standards for insurance companies to follow regarding protection of consumers’ data, and notifying the department. Historically, when an insurer determined that a data breach had occurred, notification to the Department of Insurance was delayed, sometimes by several months.
Work on enhancing insurance data security began after the Anthem data breach in 2015, in which hackers compromised nearly 80 million individuals’ personal information. Since then, there have been 15 insurance data breaches impacting Delaware, the most recent one involving Dominion National, a dental insurance carrier. The number of Delawareans impacted during the breaches during that period of time ranged from one policyholder to over 95,000 policyholders.