DE | On June 16, PBI Research Services, a third-party vendor for Genworth Financial, disclosed a data breach that impacted the personal information of an estimated 2.5-2.7 million individuals, including about 8,000 Delaware residents. At this time, the company has indicated that the potentially compromised information may include agents, policyholders, and beneficiaries’ data including names, contact information, dates of birth, social security numbers, and policy numbers. Consumers are urged to be vigilant in protecting their data, as beneficiaries may not be aware of policies that contain their information, particularly in regard to life insurance benefits.
This event triggers Delaware’s Insurance Data Security Act, which in addition to proactive data security measures and other requirements, mandates the following now occur:
- Investigation of a cybersecurity event and correction of compromised information systems
- Detailed reporting to the Insurance Commissioner
- Notification to consumers within 60 days, except in cases where federal law or law enforcement agencies require or request modified timelines
- Consumers must be provided credit monitoring services at no cost for a period of at least one year in addition to receiving information regarding freezing one’s credit
Insurance Commissioner Trinidad Navarro encouraged consumers to protect their identities and reassured residents that the breach will be investigated thoroughly.
“I take any breach of personal information very seriously, and encourage consumers affected to utilize the identity and credit protection services offered. Our Market Conduct staff, likely alongside investigators across the country, will work to investigate the situation and assess if appropriate safeguards were in place for the handling of data.”
The department has received a relevant policyholder list, including consumers of long-term care, life insurance, and annuities lines, which investigators may use to check company compliance with the Act. Consumer service representatives may also use this information to help concerned agents, policyholders, and beneficiaries who contact the office.
This incident was a part of a significant cybersecurity attack involving the MOVEit file transfer system, with the breach likely occurring May 29-30 before a corrective action was implemented on June 2. The department has not at this time been notified of additional insurer or insured information being accessed as part of this breach.
The department worked with the General Assembly in 2019 to pass the Insurance Data Security Act and was one of the first states to implement the National Association of Insurance Commissioner’s model law. The law is an effort to fortify security measures and protect consumer data. It requires insurance companies and their vendors to follow certain data protection and breach protocols, including notification. The department may investigate violations of the Act and levy penalties accordingly.