Governor John C. Carney, Jr., signed House Bill 174 (“HB 174”) into law, or the Delaware Insurance Data Security Act, which establishes a comprehensive regulatory framework requiring insurers licensed to do business in Delaware to implement information security programs, report data breaches in a timely manner to the Commissioner and consumers, and empowers the Department of Insurance to investigate violations of the Act and levy penalties accordingly.

Prior to the implementation of this law, there were no standards for insurance companies to follow regarding protection of consumers’ data, and notifying the Department. Historically, when an insurer determined that a data breach had occurred, notification to the Department of Insurance was delayed, sometimes by several months. The act: 

  • Requires insurance companies to implement information security programs and conduct risk assessments to try to prevent data breaches and compromising of consumers’ Nonpublic Information and personal data;
  • Requires insurers to conduct thorough investigations to determine if a cybersecurity event or data breach may have occurred and whose data may have been compromised;
  • Notify the Insurance Commissioner within three  business days of determining that a data breach or cybersecurity event has occurred;
  • Mandates that insurers notify all impacted consumers within 60 days of the determination that their data has or may have been compromised;
  • Requires that insurers offer free credit monitoring services for one year to consumers impacted by breaches; and
  • Endows the Commissioner with the power to investigate the affairs of any insurer to determine whether they have been engaged in any conduct in violation of this Act and take action accordingly.

Work on enhancing insurance data security began after the Anthem data breach in 2015, in which hackers compromised nearly 80 million individuals’ personal information. Since then, there have been 15 insurance data breaches with Delawareans impacted, the most recent one involving Dominion National, a dental insurance carrier. The number of Delawareans impacted during the breaches during that period of time ranged from one policyholder to over 95,000 policyholders.