SB 134 Summary

• Establishes exclusive state standard for insurance data security requiring licensees to conduct risk assessments and develop comprehensive written information security programs protecting nonpublic information.

• Requires licensees with 10+ employees to implement administrative, technical, and physical safeguards including access controls, encryption, audit trails, employee training, and incident response plans reviewed annually by board of directors.

• Mandates notification to insurance director within 3 business days of cybersecurity events affecting state residents, with detailed reporting on event nature, affected consumers, and remediation efforts.

• Makes cybersecurity-related documents and information provided to or obtained by the insurance director confidential and privileged, prohibiting discovery and testimony in private civil actions.

• Eliminates cost-sharing and deductibles for mammography screening, diagnostic breast examinations, and supplemental breast examinations under health insurance plans (with exception for high deductible health savings account plans).