Rhode Island’s new insurance privacy law to take effect in 2025 | Insurance business America
It will require insurers to respond more quickly to cyber breaches
Rhode Island has enacted an insurance privacy law that requires insurance companies to develop and maintain a comprehensive written information security program based on a risk assessment and detailing security measures for nonpublic information.
The bill, which was submitted to the Rhode Island Secretary of State by Gov. Dan McKee’s office on June 26 without his signature, will take effect on January 1, 2025.
The new law requires insurers to notify the insurance commissioner within three days of discovery of a cybersecurity incident if notification to a government agency, self-regulatory agency, or other regulatory agency is required by state or federal law. Insurers must also notify the commissioner if a cyber event is likely to harm Rhode Island consumers or impact the carrier’s ability to operate in the state.
According to a report, notifications must include the event date, a description of the data compromise, information about the discovery of the event, the recoverability of the data, and the number of consumers potentially affected. These requirements also apply to cybersecurity incidents involving third-party providers that have non-public information from the network operator.
Insurers operating in Rhode Island are required to submit an annual statement attesting to compliance with privacy laws. If any part of a security plan is found to be deficient, the annual report should outline how the problems will be corrected. These statements must be submitted to the Insurance Commissioner by April 15 each year.
The law also requires insurers to retain records for five years following a cybersecurity incident and make them available to the state insurance commissioner upon request. Operators are required to regularly re-evaluate retention of non-public information and consider mechanisms to destroy old, unnecessary data.
Cybersecurity plans based on risk assessment should anticipate internal and external threats and assess their likelihood and potential damage. Plans should also assess the effectiveness of measures such as cybersecurity training for employees, data transfer and disposal security measures, and the ability to detect and deter cyberattacks.
The law requires the creation of incident response plans that take into account factors such as the internal process for responding to an attack, the roles and responsibilities of decision makers during the event, plans for internal and external communications, and documentation and reporting of the event.
Matthew Gendron, general counsel and chief of compliance for the Rhode Island Division of Financial Services, said in an email that the department supports the Legislature in passing this bill and joining the 24 states that have signed this NAIC. have adopted the model law. He added that this gives the ministry more powers to protect consumers.
Gendron said the department is preparing a bulletin for the fall to keep stakeholders informed and answer frequently asked questions.
What do you think about this story? Please share your comments below.
similar posts
Stay up to date with the latest news and events
Join our mailing list, it’s free!
Source link
2024-07-01 15:01:48
www.insurancebusinessmag.com
