Section 27-62-1 – Short Title.

Section 27-62-1 Short title. This chapter shall be known and may be cited as the Insurance Data Security Law. (Act 2019-98, §1.)

Section 27-62-10 – Penalties.

Section 27-62-10 Penalties. (a) An insurance producer violating this chapter may be penalized in accordance with Section 27-7-19. (b) Any other licensee violating this chapter may be subject to the suspension or revocation of the license or certificate of authority of the licensee or, in lieu thereof and at the discretion of the commissioner, the […]

Section 27-62-11 – Rules.

Section 27-62-11 Rules. The commissioner may adopt rules implementing this chapter pursuant to Chapter 2. (Act 2019-98, §11.)

Section 27-62-2 – Purpose and Intent.

Section 27-62-2 Purpose and intent. (a) Notwithstanding any other provision of law, this chapter establishes the exclusive state standards applicable to licensees for data security, the investigation of a cybersecurity event as defined in Section 27-62-3, and notification to the Commissioner of Insurance of a cybersecurity event as provided by this chapter. (b) This chapter […]

Section 27-62-3 – Definitions.

Section 27-62-3 Definitions. For purposes of this chapter, the following words have the following meanings: (1) AUTHORIZED INDIVIDUAL. An individual known to and screened by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems. (2) COMMISSIONER. The Commissioner of Insurance. […]

Section 27-62-4 – Information Security Program.

Section 27-62-4 Information security program. (a) Commensurate with the size and complexity of the licensee, the nature and scope of the activities of the licensee, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the possession, custody, or control of the licensee, each licensee […]

Section 27-62-5 – Investigation of Cybersecurity Event.

Section 27-62-5 Investigation of cybersecurity event. (a) If the licensee learns that a cybersecurity event has or may have occurred, the licensee, or an outside vendor or service provider designated to act on behalf of the licensee, shall conduct a prompt investigation. (b) During the investigation, the licensee, or an outside vendor or service provider […]

Section 27-62-6 – Notification of Cybersecurity Event.

Section 27-62-6 Notification of cybersecurity event. (a) Each licensee shall notify the commissioner as promptly as possible, but in no event later than three business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred when either of the following criteria has been met: […]

Section 27-62-7 – Power of Commissioner.

Section 27-62-7 Power of commissioner. (a) The commissioner may examine and investigate the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of this chapter. This power is in addition to the powers which the commissioner has under Section 27-2-21. The investigation or examination shall […]

Section 27-62-8 – Confidentiality.

Section 27-62-8 Confidentiality. (a)(1) Any documents, materials, or other information in the control or possession of the department that are furnished by a licensee or an employee or agent acting on behalf of a licensee pursuant to subsection (i) of Section 27-62-4; subdivisions (2), (3), (4), (5), (8), (10), and (11) of subsection (b) of […]

Section 27-62-9 – Exceptions.

Section 27-62-9 Exceptions. (a) The following exceptions shall apply to this chapter: (1) A licensee is exempt from Section 27-62-4 if any of the following criteria apply: a. The licensee has fewer than 25 employees. b. The licensee has less than $5 million in gross annual revenue. c. The license has less than $10 million […]