State Regulatory Developments

PA Enacts Insurance Data Security Law

Pennsylvania’s Governor recently signed into law the Pennsylvania Insurance Data Security Act (the Act), which requires insurance companies to safeguard consumer information.  The Act goes into effect on December 11, 2023.

Under the Act, covered Insurers (as defined in the Act) must develop, implement, and maintain an information security program that is designed to mitigate against the risk of cybersecurity events that could result in the unauthorized access to or misuse of nonpublic consumer information.  This program must also determine which security measures are appropriate and implement such measures.  Insurers must conduct risk assessments in order to identify reasonably foreseeable internal and external threats, assess the likelihood and potential damage of such threats, and assess the sufficiency of existing safeguards against such threats.  Insurers must also monitor, evaluate and adjust their information security programs to respond to any relevant changes in technology, any internal or external threats that may later be identified, and any changes in corporate structures, such as mergers and acquisitions. 

The information security program must also include incident response plans designed to promptly respond to cybersecurity events.  In addition to maintaining records concerning all cybersecurity events, Insurers must notify the Pennsylvania Insurance Commissioner (the Commissioner) of certain cybersecurity events no later than five business days from when they determine that such an event has occurred.

For Insurers that have boards of directors, the Act requires such boards to engage in corporate oversight.  The boards’ oversight responsibilities include, but are not limited to, developing, implementing, and maintaining the information security program.  They must also prepare written reports at least annually that address, among other things, material matters related to the program.  Insurers are also required to exercise due diligence in selecting third-party service providers and to require such providers to implement appropriate safeguards.

The following are important compliance dates:

  • By December 11, 2024, Insurers must be in compliance with requirements regarding risk assessment, information security program, and corporate oversight.
  • By December 11, 2025, Insurers must be in compliance with requirements regarding oversight of third-party service providers.
  • By April 15, 2026, Insurers must submit their first annual written statement to the Commissioner certifying compliance with the Act.