As used in this article: “Authorized person” means a person known to and authorized by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems. “Consumer” means an individual, including applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders, who is a […]
Nothing in this article shall be construed to create or imply a private cause of action for violation of its provisions, nor shall it be construed to curtail a private cause of action which would otherwise exist in the absence of this article. 2020, c. 264.
A. Commensurate with the size and complexity of the licensee; the nature and scope of the licensee’s activities, including its use of third-party service providers; and the sensitivity of the nonpublic information used by the licensee or in the licensee’s possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information […]
A. If a licensee learns that a cybersecurity event has or may have occurred, the licensee or an investigator shall conduct a prompt investigation. B. During the investigation, the licensee or an investigator shall, at a minimum, determine as much of the following information as possible: 1. Determine whether a cybersecurity event has occurred; 2. […]
A. If a licensee has determined that a cybersecurity event has actually occurred, such licensee shall notify the Commissioner, in accordance with requirements prescribed by the Commission, as promptly as possible but in no event later than three business days from such determination if: 1. The licensee is a domestic insurance company, or in the […]
A. A licensee that maintains consumers’ nonpublic information shall notify the consumer of any cybersecurity event without unreasonable delay after making a determination or receiving notice the cybersecurity event has occurred, if consumers’ nonpublic information was accessed and acquired by an unauthorized person or such licensee reasonably believes consumers’ nonpublic information was accessed and acquired […]
A. The Commissioner may examine and investigate the affairs of any licensee to determine whether a licensee has been or is engaged in any conduct in violation of this article. This power is in addition to the powers that the Commissioner has under Article 4 of Chapter 13 (38.2-1300 et seq.) and Chapter 18 (38.2-1800 […]
A. Any documents, materials, or other information in the control or possession of the Bureau that are furnished by a licensee or an employee or agent thereof acting on behalf of licensee pursuant to subsection H of § 38.2-623 or subdivisions B 2, 3, 4, 5, 8, 10, and 11 § 38.2-625, or that are […]
A. The following exceptions shall apply to this article: 1. A licensee subject to HIPAA that has established and maintains an information security program pursuant to such statutes, rules, regulations, or procedures established thereunder shall be considered to meet the requirements of § 38.2-623, provided that licensee is compliant with, and submits a written statement […]
