Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Pennsylvania: Bill on insurance data security signed by Governor

On June 14, 2023, House Bill 739 for insurance data security was approved by the Governor of Pennsylvania and enacted as Act No. 2 of 2023. In particular, the Act was first introduced to the State House of Representatives in March 2023 and thereafter signed by the House and by the State Senate at the beginning of June 2023.

Obligations

In summary, the Act requires an insurance licensee, which is defined as a person that is or is required to be licensed, authorized to operate, or registered under the insurance laws of Pennsylvania, to carry out a risk assessment to detect cyber threats that may result in authorized access, transmission, disclosure, misuse, alteration, or destruction of non-public information, including the security of information systems and non-public information that are accessible to, or held by, third-party service providers. In addition, under the Act, licensees must assess the likelihood and potential damage of such threats, and evaluate the sufficiency of policies, procedures, information systems, and other safeguards in place to manage threats in each relevant area of the licensee's operations. However, certain small businesses are exempt from the above risk assessment obligation. 

In addition, the Act obliges insurance licensees to create an information security program to reduce the identified risks and an incident response strategy to recover from cybersecurity incidents, providing consumer protection in the case of a data breach. 

The Act establishes a specific notification obligation, requiring licensees to notify the Insurance Commissioner of the Commonwealth as promptly as possible, but in no event later than five business days from a determination that a cybersecurity event involving non-public information that is in the possession of the licensee, has occurred, when certain criteria are met.

Lastly, the Act establishes that licensees will have one year from the effective date of the Act to implement most of the Sections of the same, and two years from the same date to implement Section 4515 of the Act, relating to oversight of third-party service provider arrangements.

You can read the Act here and view its history here.

Feedback