Rhode Island: Bill for Insurance Data Security Act introduced
House Bill ('HB') 5200 for the Insurance Data Security Act was introduced, on 27 January 2021, to the Rhode Island House of Representatives and referred to the Committee on Corporations. In particular, HB 5200 would adopt the National Association of Insurance Commissioners Cybersecurity Act. In addition, HB 5200 would require licencees to implement a information security program in accordance with their 'size and complexity, the nature and scope of its activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody or control, shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system'.
Moreover, in the event of a cybersecurity incident, licensees are required to notify the Office of the Health Insurance Commissioner of Rhode Island ('the Commissioner') no later than 72 hours from the determination that a cybersecurity incident has occured when either of the following has been met:
- Rhode Island is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of a producer, as those terms are defined in § 27-2.4-2 of the General Laws of Rhode Island; or
- the licensee reasonably believes that the nonpublic information involved affects 250 or more consumers residing in this state and that is either of the following:
- a cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or
- a cybersecurity event that has a reasonable likelihood of materially harming:
- any consumer residing in this state; or
- any material part of the normal operation of the licensee.
Furthermore, HB 5200 would require licensees to provide any information required in electronic form as directed by the Commissioner, and the licensee shall also have a continuing obligation to update and supplement initial and subsequent notifications to the Commissioner concerning the cybersecurity event.
You can read the HB 5200 here.