HB 174 Summary

• Establishes the Insurance Data Security Act as exclusive state standards for data security and cybersecurity event notification requirements for Delaware insurance licensees.

• Requires licensees to develop and maintain comprehensive written information security programs with administrative, technical, and physical safeguards based on risk assessments, with board oversight and annual certification to the Commissioner by February 15.

• Mandates licensees notify the Delaware Insurance Commissioner within 3 business days of determining a cybersecurity event has occurred that meets specified criteria, including material harm to consumers or operations, or involvement of 250+ consumers' nonpublic information.

• Requires licensees to notify affected consumers within 60 days of discovering a cybersecurity event with reasonable likelihood of materially harming them and must offer 1 year of free credit monitoring services if Social Security numbers were breached.

• Licensees with fewer than 15 employees are exempt from information security program requirements; those subject to HIPAA and compliant with its standards are deemed compliant with this Act; violations subject to penalties under Delaware Code § 329.