SB 2831 Summary

• Establishes Mississippi's "Insurance Data Security Law" requiring licensed insurance entities to develop, implement, and maintain comprehensive information security programs based on risk assessments, including administrative, technical, and physical safeguards for protecting nonpublic consumer information.

• Requires licensees to conduct prompt investigations of cybersecurity events and notify the Insurance Commissioner within 3 business days when events involve 250+ state residents or meet other materiality thresholds, providing detailed information about the breach and remediation efforts.

• Mandates licensees establish written incident response plans addressing internal response processes, roles and responsibilities, communications protocols, and procedures for system remediation and documentation following cybersecurity events.

• Designates cybersecurity event information and investigation materials as confidential and privileged, exempt from public records requests and civil discovery, though the Commissioner may share information with other regulators and law enforcement under confidentiality agreements.

• Exempts certain entities from requirements, including insurers with fewer than 50 employees, less than $5 million annual revenue, less than $10 million in assets, insurance producers and adjusters, and those already compliant with HIPAA or Gramm-Leach-Bliley Act standards; effective July 1, 2019, with one-year implementation deadline for most requirements.