PA | Pennsylvania Acting Insurance Commissioner Michael Humphreys today applauded the passage of House Bill 739, the Pennsylvania Insurance Data Security Act, signed into law by Governor Josh Shapiro on June 14 as Act 2 of 2023 – after passing both the Pennsylvania House and Senate with unanimous, bipartisan support. The new law furthers Governor Shapiro’s vision of robust financial services oversight and strengthened consumer protections, and provides commonsense solutions and smart reforms to keep consumers safe across the Commonwealth.
“Governor Shapiro will always stand for the best interests of Pennsylvania’s insurance consumers and has prioritized ensuring that the industry is effective and working for Pennsylvanians,” said Humphreys. “This collaborative effort was focused on improving business processes and insurance regulatory tools to best safeguard our citizens’ personal information. The new bipartisan law makes Pennsylvania the largest state to enact these critical reforms and will make the industry more responsive and better prepared for cybersecurity events and cybercrime.”
The Pennsylvania Insurance Department (PID) has been preparing to implement this important initiative and has developed various tools that will assist consumers and companies dealing with cyber breaches. Coordination between PID and the industry is imperative in not only helping consumers deal with breaches, but also to prevent them – by ensuring that insurers have appropriate measures in place to protect consumers’ sensitive financial information.
FBI statistics report that cybercrime is on the rise. In 2022, Americans reported more than $10.3 billion in losses due to cybercrime, a 49 percent increase from 2021, and the FBI received more than 800,000 reported complaints. Pennsylvania saw more reported victims of cybercrime than Canada, India, Australia, France, and South Africa combined. The insurance industry is a particularly attractive target for cybercriminals due to the volume of personal information insurers maintain.
Act 2 requires insurance licensees (companies and individuals), except for certain small businesses, to conduct a risk assessment to identify cyber threats and determine the likelihood and potential damage of these threats. Each licensee is also required to develop a comprehensive information security program to mitigate identified risks and establish an incident response plan to recover from cybersecurity events, ensuring consumer protection in the event of a data breach.
Additionally, the Act requires licensees to notify the Insurance Commissioner within five business days that a cybersecurity event involving nonpublic information has occurred. Prompt notification to PID will allow the Department to work with insurers to help mitigate damages and assist consumers.
The National Association of Insurance Commissioners (NAIC) adopted a model insurance data security law in 2017 to promote data security standards and mitigate the potential damage of a data breach. The Pennsylvania Insurance Data Security Act is based on the NAIC model law. Pennsylvania joins 21 other states in adopting the model legislation.