HB 101 - Insurance Data Security Law Summary

• Establishes exclusive state standards for information security programs, cybersecurity event investigations, and breach notifications for Alabama insurance licensees.

• Requires insurers and licensed entities to develop comprehensive written security programs with administrative, technical, and physical safeguards commensurate with their size and complexity; programs must include incident response plans and annual board reporting.

• Mandates licensees notify the Commissioner of Insurance within 3 business days of cybersecurity events involving nonpublic information affecting 250+ state consumers or materially harming consumers or operations.

• Provides exemptions for licensees with fewer than 25 employees, less than $5 million in annual revenue, less than $10 million in assets, or entities already compliant with HIPAA or Gramm-Leach-Bliley Act requirements.

• Establishes civil penalties up to $10,000 per violation for non-producer licensees; makes reported information confidential and privileged; requires 1-year implementation for most provisions and 2-year implementation for incident response plans.