HB3040 - Insurance Data Security Act

• Creates the Insurance Data Security Act requiring Illinois-licensed insurers to develop written information security programs based on cybersecurity risk assessments and implement administrative, technical, and physical safeguards for nonpublic information.

• Requires licensees to establish written incident response plans, conduct annual assessments of security controls, designate a responsible security officer, and provide employee cybersecurity training based on identified risks.

• Mandates insurers domiciled in Illinois to notify the Director of Insurance within 72 hours of determining a cybersecurity event has occurred when the state is the home state or 250+ Illinois consumers are affected with material impact.

• Establishes confidentiality protections for information submitted to the Department of Insurance, exempting it from Freedom of Information Act requests, subpoenas, and use in private civil actions, while allowing Director to share information with regulators and law enforcement.

• Effective January 1, 2022; exempts insurers with fewer than 10 employees and those complying with federal Health Insurance Portability and Accountability Act requirements; violations subject to penalties under the Illinois Insurance Code.