HB2130 - Insurance Data Security Law

• Establishes data security standards and cybersecurity event notification requirements for Illinois-licensed insurance entities, including insurers and insurance producers.

• Requires licensees to develop and maintain comprehensive written information security programs including administrative, technical, and physical safeguards based on risk assessments; licensees with fewer than 50 employees are exempt from this requirement.

• Mandates licensees notify the Director of Insurance within 3 business days of determining a cybersecurity event has occurred when it affects 250+ Illinois consumers or has reasonable likelihood of materially harming consumers or normal operations.

• Requires licensees to conduct prompt investigations of cybersecurity events, maintain incident response plans, and provide specified information to the Director including event details, affected consumer count, and remediation efforts.

• Designates information submitted to the Department of Insurance regarding cybersecurity events as confidential and privileged, exempt from Freedom of Information Act disclosure and private civil litigation discovery.