New Delaware law requires insurers timely report data breaches
Insurance companies must quickly report cyber attacks under a new state law.
The legislation signed by Gov. John Carney (D) requires insurers to quickly investigate cyber attacks and notify the Delaware Insurance Commissioner of a breach within three business days.
The bill, sponsored by State Rep. Bill Bush (D-Cheswold), also mandates companies tell consumers their data was hacked within 60 days. If the data includes a Social Security number, insurers must offer consumers one year of credit monitoring.
The law applies to companies that call Delaware home - and to companies outside the state when it affects 250 or more consumers.
Delaware Insurance Commissioner Trinidad Navarro said insurance companies are prime targets for cyber attacks.
“So everyone has or purchases insurance," he said."So all of that data that insurance companies collect on you, your name, your address, your Social Security number, your next of kin, your loved ones. All that’s in their files.”
He adds companies who don’t comply with the new law could face fines or other penalties.
Navarro said this bill gives his office more oversight over how insurers handle cyber threats.
“And it also gives us the authority to investigate these cases and make sure people are having their data protected," he said. "And if it’s not, we can hold those companies accountable through fines and fees of that nature.”
Narvarro said hackers have stolen customer data more than a dozen times from insurance companies in the past couple years.
Senate sponsor, State Sen. Trey Paradee (D-Dover) says it was a controversial bill to get through because of industry resistance. But the bill passed both chambers without opposition.