Delaware’s Department of Insurance reissued on Thursday Universally Applicable Bulletin No. 5 regarding the Delaware Insurance Data Security Act, originally issued August 29, 2019 and updated October 8, 2020.
Delaware Insurance Commissioner Trinidad Navarro used the bulletin to remind all individuals and entities engaged in any aspect of the insurance business in Delaware of their obligations under the Delaware Insurance Data Security Act, codified at 18 Del. C. Chapter 86. This namely includes an annual certification of compliance due to the Delaware Department of Insurance by February 15 each year.
The Act requires Delaware “licensees” (as defined in the statute, with exclusions for certain out‑of‑state risk retention and assuming insurers) to implement information security programs and conduct risk assessments to prevent data breaches involving consumers’ nonpublic information, with such programs to be implemented no later than August 1, 2020 and third‑party service provider oversight no later than August 1, 2021.
They must also: Conduct investigations to determine whether a cybersecurity event has occurred and whose data may have been compromised; notify the Delaware Department of Insurance within three business days of determining that a cybersecurity event has occurred; notify all impacted consumers within 60 days of determining that their data has or may have been compromised; and offer one year of free credit monitoring services to affected consumers.
The bulletin confirms that the Delaware Insurance Commissioner may investigate insurers’ affairs for potential violations of the Act and states that Universally Applicable Bulletin No. 3, concerning notification of data breaches, is rescinded as it is now superseded by the Act, although licensees mailing information to consumers are told they should continue to use closed‑faced envelopes.
For Delaware licensees subject to the Act, data breach or cybersecurity event notices must be sent to doidatasecurity@delaware.gov and include specified details such as discovery and occurrence dates, description, affected information, affected Delaware policyholders, and a copy of consumer notifications.
Insurers domiciled in Delaware must also submit by February 15 a written statement certifying compliance with the Act together with the affidavit attached to the reissued bulletin, again via the same dedicated email address, subject to statutory exemptions for certain small and HIPAA‑regulated licensees and for employees or agents covered under another licensee’s information security program.
