Delaware Passes Insurance Data Security Act

In July of 2019, Delaware Governor John Carney Jr. signed HB 174 into law. This bill, titled the Delaware Insurance Data Security Act, requires that insurers licensed to do business in Delaware to take a number of security measures with respect to consumer data. 

What Requirements Does the Insurance Data Security Act Impose?

The Delaware Insurance Data Security Act requires that licensees – persons and businesses that are authorized to operate, or registered, under Delaware insurance law – develop, implement, and maintain written information security problems for the protection of nonpublic information.  The insurance data security act begins to take effect on July 31, 2020. 

What Entities are Authorized to Operate Under Delaware Insurance Law?

Entities authorized to operate under Delaware insurance law include traditional insurers – entities engaged as principal and as indemnitor, surety, or contractor, who are in the business of entering into contracts of insurance –  as well as health services corporations, managed care organizations, or health maintenance organizations.  

What Information is Subject to the Data Security Law?

The insurance data security act applies to “nonpublic information,” which is defined as electronic information that is not publicly available information and that falls into at least one of the following classes: 

Class 1: Information concerning a consumer that because of name, number, personal mark, or other identifier, can be used to identify the consumer, in combination with one or more of the following pieces of data:

• Social Security number
• Driver’s license number or non-driver identification card number
• Financial account number, credit, or debit card number
• A security code, access code, or password that would permit access to a consumer’s financial account.
• A biometric record.

Class 2: Information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer, that can:

• Be used to identify a particular consumer; and that relates to:
  • The past, present, or future physical, mental or behavioral health or condition of a consumer or a member of the consumer’s family; or
  • The provision of health care to any consumer; or
  • Payment for the provision of health care to any consumer. 

The insurance data security act defines a consumer as an individual applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who: 

• Is a Delaware resident; and 
• Whose nonpublic information is in a licensee’s possession, custody, or control.

What Does the Insurance Data Security Act Law Require That Licensees Do?

The insurance data security law requires that licensees develop written information security programs, ensure these programs satisfy certain objectives, and implement risk assessment measures.

• Developing a Written Information Security Program: The insurance data security act requires data security law requires licensees to: 
  • • Develop, implement, and maintain a comprehensive, written information security program that is:
      • Based on the licensee’’s risk assessment; and
      • Contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system.
        • The information security program must be commensurate with the following:
          • The size and complexity of a licensee
          • The nature and scope of a licensee’s activities
          • The sensitivity of the nonpublic information that the licensee uses or has in its possession, custody, or control.

• Satisfying Security Objectives: The information security program must be designed to do all of the following:
  • • Protect the security and confidentiality of nonpublic information and the security of the information system.
    • Protect against threats or hazards to the security or integrity of nonpublic information and the information system.
    • Protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to a consumer
    • Define and periodically reevaluate a schedule for retention of public information and a mechanism for its destruction when retention of the nonpublic information is no longer needed.

What Must a Risk Assessment Program Consist of?

For its risk assessment program, the licensee must designate an individual who will be responsible for managing and overseeing the information security program.

The licensee must also:

• Identify reasonably foreseeable internal or external threats that could result in unauthorized access or disclosure
• Assess the likelihood and potential damage of threats
• Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage threats
• Implement information safeguards

Does the Insurance Data Security Law Contain a Safe Harbor Provision?

The insurance data security act contains a safe harbor provision for licensees that are in compliance with HIPAA, if the licensees have established and maintained HIPAA-required privacy, security, and data breach notification programs and procedures to protect both PHI, the licensee is considered to meet the information security program requirements of the Delaware law.  To qualify for safe harbor protection, licensees must submit written statements that indicates they are HIPAA-compliant. 

This safe harbor provision is not to be confused with the HIPAA safe harbor rules, which require that protected health information (PHI) be de-identified.