United States: Pennsylvania's New Insurance Data Security Law

Pennsylvania Governor Josh Shapiro recently signed the Pennsylvania Insurance Data Security Act (PIDSA) into law, requiring covered licensed insurance companies to take specific actions to protect consumer information. With this law, Pennsylvania joins the growing collection of states that have adopted legislation based on the National Association of Insurance Commissioners' (NAIC) data security law model.¹ The Act goes into effect December 2023.

PIDSA applies to covered insurers, or "licensees," that are required to be licensed or registered under Pennsylvania insurance laws.² Under the Act, licensees have important new standards involving data security, cybersecurity investigations and notification to the Commissioner of cybersecurity events. These requirements include:

• Build an Information Security Program - Licensees are required to develop, implement and maintain their own comprehensive written information security program based on the licensee's risk assessment, designed to reduce the risk of cybersecurity events.³ Cybersecurity events under PIDSA are events resulting in unauthorized access to, disruption of or misuse of an information system or nonpublic information.⁴ The licensee must also designate responsibility for the information security program to one or more employees, an affiliate or an outside vendor.⁵
• Conduct Risk Assessments - PIDSA requires licensees to conduct risk assessments to identify reasonably foreseeable internal and external security threats, as well as assess the sufficiency of existing safeguards to manage such threats. Licensees will be required to assess the effectiveness of the safeguards, key controls, systems and procedures at least annually.⁶
• Keep up with Technology Changes - Licensees must monitor and evaluate their information security programs, adapting them to relevant changes in technology as well as the licensee's own changing business arrangements.⁷
• Incident Response Plan - Licensees are required to have a detailed incident response plan in place designed to both respond to and recover data from cybersecurity events, delineating responsibilities and levels of decision-making authority.⁸
• Notification of Cybersecurity Events - Under PIDSA licensees must notify the Commissioner no later than five days after determining that a cybersecurity event involving nonpublic information has occurred when certain criteria listed in the Act have been met.⁹
• Engage in Corporate Oversight - If a licensee has a board of directors, such board shall have the duty to require the licensee's executive management to implement the information security program and prepare written reports, at least annually, addressing the status of the information security program and related matters.¹⁰
• Due Diligence on Third Parties - Licensees must exercise due diligence over third-party providers, which includes requiring these third parties to implement appropriate technical, physical and administrative measures to secure information systems.¹¹

The implementation of PIDSA is heavily staggered.

Footnotes

1. Alabama, Alaska, Connecticut, Delaware, Hawaii, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee, Vermont, Virginia and Wisconsin. New York has its own data privacy requirements not based on the NAIC model law.

2. Pennsylvania Insurance Data Security Act, H.B. 739, Penn. Gen. Assem. Reg. Sess. 2023-2024 §§ 4502 (2023).

3. Id. § 4513(a).

4. Id. § 4502(1).

5. Id. § 4513(a), (b).

6. Id. § 4512(1-5).

7. Id. § 4513(d)(1).

8. Id. § 4513(e).

9. Id. § 4518(a).

10. Id. § 4514(a).

11. Id. § 4515(1-2).

12. Id. § 4536.

13. Id.

14. Id. § 4516(a).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.