§ 27-1-47. Notification of a cybersecurity event.
(a) Each domestic insurer shall notify the commissioner as promptly as possible but in
no event later than three (3) business days from a determination that a cybersecurity
event has occurred when either of the following criteria has been met:
(1) A cybersecurity event impacting the insurer of which notice is required to be provided
to any government body, self-regulatory agency, or any other supervisory body pursuant
to any state or federal law; or
(2) A cybersecurity event that has a reasonable likelihood of materially harming:
(i) Any consumer residing in this state; or
(ii) Any material part of the normal operation(s) of the insurer.
(b) The insurer shall provide any information required by this section in electronic form
as directed by the commissioner. The insurer shall have a continuing obligation to
update and supplement initial and subsequent notifications to the commissioner concerning
the cybersecurity event. The insurer shall provide as much of the following information
as possible. The insurer should indicate whether it is making claims under chapter 2 of title 38 to any of the information provided. The following information shall be provided:
(1) Date of the cybersecurity event;
(2) Description of how the information was exposed, lost, stolen, or breached, including
the specific roles and responsibilities of third-party service providers, if any;
(3) How the cybersecurity event was discovered;
(4) Whether any lost, stolen, or breached information has been recovered and if so, how
this recovery was achieved;
(5) The identity of the source of the cybersecurity event;
(6) Whether the insurer has filed a police report or has notified any regulatory, government,
or law enforcement agencies and, if so, when such notification was provided;
(7) Description of the specific types of information acquired without authorization. Specific
types of information consisting of particular data elements including, for example,
types of medical information, types of financial information, or types of information
allowing identification of the consumer;
(8) The period during which the information system was compromised by the cybersecurity
event;
(9) The number of total consumers in this state affected by the cybersecurity event. The
insurer shall provide the best estimate in the initial report to the commissioner
and update this estimate with each subsequent report to the commissioner pursuant
to this section;
(10) The results of any internal review identifying a lapse in either automated controls
or internal procedures, or confirming that all automated controls or internal procedures
were followed;
(11) Description of efforts being undertaken to remediate the situation that permitted
the cybersecurity event to occur;
(12) A copy of the insurer privacy policy and a statement outlining the steps the insurer
will take to investigate and notify consumers affected by the cybersecurity event;
and
(13) Name of a contact person who is both familiar with the cybersecurity event and authorized
to act for the insurer.
(c) An insurer shall comply with chapter 49.3 of title 11, as applicable, and provide a copy of the notice sent to consumers under that chapter
to the commissioner, when an insurer is required to notify the commissioner.
(d) Notice regarding cybersecurity events of third-party service providers.
(1) In the case of a cybersecurity event involving an insurer's nonpublic information
in a system maintained by a third-party service provider, of which the insurer has
become aware, the insurer shall treat that event as it would under subsection (a)
of this section;
(2) The computation of the insurer's deadlines shall begin on the day after the third-party
service provider notifies the insurer of the cybersecurity event or the insurer otherwise
has actual knowledge of the cybersecurity event, whichever is sooner;
(3) Nothing in this chapter shall prevent or abrogate an agreement between an insurer
and another insurer, a third-party service provider, or any other party to fulfill
any of the investigation requirements or notice requirements imposed under this section.
(e) Notice regarding cybersecurity events of reinsurers to insurers.
(1)(i) In the case of a cybersecurity event involving nonpublic information that is used
by the insurer that is acting as an assuming insurer or in the possession, custody,
or control of an insurer that is acting as an assuming insurer and that does not have
a direct contractual relationship with the affected consumers, the assuming insurer
shall notify its affected ceding insurers and the commissioner of its state of domicile
within seventy-two (72) hours of making the determination that a cybersecurity event
has occurred;
(ii) The ceding insurers that have a direct contractual relationship with affected consumers
shall fulfill the consumer notification requirements imposed under chapter 49.3 of title 11 ("Identity Theft Protection Act of 2015�), and any other notification requirements
relating to a cybersecurity event imposed under this section.
(2)(i) In the case of a cybersecurity event involving nonpublic information that is in the
possession, custody, or control of a third-party service provider of an insurer that
is an assuming insurer, the assuming insurer shall notify its affected ceding insurers
and the commissioner of its state of domicile within seventy-two (72) hours of receiving
notice from its third-party service provider that a cybersecurity event has occurred;
(ii) The ceding insurers that have a direct contractual relationship with affected consumers
shall fulfill the consumer notification requirements imposed under chapter 49.3 of title 11 and any other notification requirements relating to a cybersecurity event imposed
under this section.
(f) Notice regarding cybersecurity events of insurers to producers of record.
(1) In the case of a cybersecurity event involving nonpublic information that is in the
possession, custody, or control of an insurer or its third-party service provider
and for which a consumer accessed the insurer's services through an independent insurance
producer, the insurer shall notify the producers of record of all affected consumers
as soon as practicable as directed by the commissioner.
(2) The insurer is excused from this obligation for those instances in which it does not
have the current producer of record information for any individual consumer.