MS HB911

Establishes the "Insurance Data Security Law" requiring all insurance licensees in Mississippi to develop, implement, and maintain comprehensive written information security programs based on risk assessments.

Mandates licensees conduct prompt investigations of cybersecurity events and notify the Commissioner within 3 business days if the event affects 250+ Mississippi residents or materially harms consumers or normal operations.

Requires licensees to implement administrative, technical, and physical safeguards including access controls, encryption for data in transit and on portable devices, multi-factor authentication, audit trails, and incident response plans.

Exempts licensees with fewer than 10 employees, less than $5 million in annual revenue, or less than $10 million in total assets, and those subject to HIPAA requirements.

Designates all investigation records and cybersecurity event notifications to the Commissioner as confidential and privileged, prohibiting their use in private civil actions without consent.