CS for HB 324 - Insurance Data Security

• Establishes exclusive state data security standards for insurance licensees and governs investigation and notification of cybersecurity events under AS 21.23.240-21.23.399.

• Requires licensees to conduct risk assessments, develop comprehensive written information security programs with administrative, technical, and physical safeguards, and designate a responsible person or vendor to oversee the program.

• Mandates licensees notify the director within three business days of determining a cybersecurity event has occurred if the licensee is a state-domiciled insurer, an insurance producer with the state as home state, or reasonably believes 250+ Alaska consumers are affected with material harm likelihood.

• Requires licensees to investigate cybersecurity events, maintain five-year records, and provide detailed notification information including event date, description of exposed information, remediation efforts, consumer count, and contact information.

• Makes director-received documents and investigation materials confidential and privileged, prohibiting discovery, subpoena, or admission in private civil actions; applies January 1, 2025, with full implementation by January 1, 2027.