In June 2023, Pennsylvania Governor Josh Shapiro signed into law a cybersecurity bill, the Pennsylvania Insurance Data Security Act (the “Act”), that requires insurance licensees (with an exception for certain small businesses) to conduct a risk assessment to identify cybersecurity threats and determine the potential damage that might occur. Also required under the Act is the development by each licensee of a comprehensive written information security program to address and mitigate the identified risks and to establish an incident response plan to recover from cybersecurity events in the hopes of ensuring consumer protection in the event of a breach. Licensees must notify the state insurance commissioner as soon as possible, but in no event later than five days, of any cybersecurity events that involve non-public information so that the insurance department can work with the insurers to assist customers and attempt to mitigate damages.
The Act is based on the National Association of Insurance Commissioners (“NAIC”) model insurance data security law from 2017 which was enacted to promote data security standards and mitigate potential damages from a breach. Pennsylvania is the 22nd state to adopt a state law from the NAIC model law.
The Act becomes effective December 11, 2023. The Risk Assessment, Information Security Program, and Corporate Oversight requirements must have been implemented by December 11, 2024. The additional requirements regarding oversight of third-party service providers that maintain, process, store, or otherwise permit access to non-public information through the provision of services to the licensee must be implemented by December 11, 2025. And no later than April 15, 2026, each insurer must annually submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in the Act. Additional information and resources to help licensees understand and comply with the Act are in process and will be made available by the Pennsylvania Insurance Department when completed.
The Commissioner can examine licensees to review all documentation related to their cybersecurity programs as this goes into effect. Any violations found can result in penalties that range from monetary fines to suspension of the licensee’s license or even a cease-and-desist order.
PA Insurance Data Security Act Exemptions
Licensees meeting any of the following criteria are exempt from the sections relating to Risk Assessment, Information Security Program, Corporate Oversight, Oversight of Third-Party Service Provider Arrangements, and Certification:
- The licensee has fewer than 10 employees.
- The licensee has less than $5,000,000 in gross revenue.
- The licensee has less than $10,000,000 in year-end total assets.
Being a smaller organization may exempt you from certain elements of the new Act, but it does not make you immune to potential cyber events.
Authors: Shawn Gillon, Partner | [email protected] and Julie Tracy, Executive Cybersecurity Advisor | [email protected]
Contact Us
For more information on this topic, please contact a member of Withum’s Cyber and Information Security Services Team.