Delaware-2019-HB174-Draft

BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF DELAWARE:

Section 1. Amend Title 18 of the Delaware Code by making deletions as shown by strike through and insertions as shown by underlining as follows:

Chapter 86. Insurance Data Security Act.

§ 8601. Short title.

This Act is known and may be cited as the “Insurance Data Security Act.”

§ 8602. Purpose and intent.

(a) Notwithstanding any other provision of law, this chapter establishes the exclusive state standards for data security and the investigation of, and notification to, the Commissioner and consumers when a cybersecurity event involving a licensee under Title 18 occurs.

(b) This chapter may not be construed to create or imply a private cause of action for violation of its provisions, nor may it be construed to curtail a private cause of action which would otherwise exist in the absence of this chapter.

§ 8603. Definitions.

As used in this chapter:

(1) “Authorized individual” means an individual to whom a licensee gave authorization to access and use nonpublic information that the licensee and the licensee’s information system holds.

(2) “Commissioner” means the Insurance Commissioner of the State of Delaware.

(3) “Consumer” means an individual, including an applicant, policyholder, insured, beneficiary, claimant, and certificate holder, who is a resident of this State and whose nonpublic information is in a licensee’s possession, custody, or control.

(4) “Cybersecurity event” means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system. “Cybersecurity event” does not include either of the following:

a. The unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization.

b. An event for which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

(5) “Department” means the Department of Insurance.

(6) “Encrypted” means the transformation of data into a form which results in a low probability of assigning meaning without the use of a protective process or key.

(7) “Information security program” means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.

(8) “Information system” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, and a specialized system such as an industrial or process controls system, telephone switching and private branch exchange system, or environmental control system.

(9) “Insurer” includes an insurer, health service corporation, managed care organization, or health maintenance organization licensed under Title 18.

(10) “Licensee” means a person who is licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered, under the insurance laws of this State. “Licensee” does not mean either of the following:

a. A purchasing group or risk retention group that is chartered and licensed in a state other than this State.

b. A licensee that is acting as an assuming insurer that is domiciled in a state other than this State or another jurisdiction.

(11) “Multi-factor authentication” means authentication through verification of at least 2 of the following types of authentication factors:

a. Knowledge factors, such as a password.

b. Possession factors, such as a token or text message on a mobile phone.

c. Inherence factors, such as a biometric characteristic.

(12) “Nonpublic Information” means electronic information that is not publicly-available information and is at least 1 of the following:

a. Information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with any 1 or more of the following data elements:

1. Social Security number.

2. Driver’s license number or non-driver identification card number.

3. Financial account number or credit or debit card number.

4. A security code, access code, or password that would permit access to a consumer’s financial account.

5. A biometric record.

b, Information or data, except age or gender, in any form or medium created by or derived from a health care provider or consumer that can be used to identify a consumer and relates to any of the following:

1. The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of a consumer’s family.

2. The provision of health care to a consumer.

3. Payment for the provision of health care to a consumer.

(13) “Notice”, for purposes of the consumer notice required under § 8606(c) of this title, means any of the following:

a. Written notice.

b. Telephonic notice.

c. Electronic notice, if the notice provided is consistent with the provisions regarding electronic signatures and records under 15 U.S.C. § 7001 or if the licensee’s primary means of communication with the consumer is by electronic means.

1. Substitute notice, if any of the following apply:

A. The licensee who is required to provide notice under this chapter demonstrates that the cost of providing notice will exceed $75,000.

B. The affected number of consumers to be notified exceeds 100,000.

C. The licensee does not have sufficient contact information to provide notice.

2. “Substitute notice” means all of the following:

A. Electronic notice, if the licensee has an email address for the affected consumer.

B. Conspicuous posting of the notice on the licensee’s website page, if the licensee maintains 1 or more website pages.

C. Notice to major statewide media, including newspapers, radio, and television.

D. Publication on the major social media platforms of the licensee who is providing notice.

(14) “Person” means as defined in § 102 of this title.

(15)a. “Publicly-available information” means information that a licensee has a reasonable basis to believe is lawfully made available to the general public, including any of the following:

1. A federal, state, or local government record.

2. A widely-distributed information source or media.

3. A disclosure to the general public that is required under federal, state, or local law.

b. For purposes of this definition, “reasonable basis to believe that information is lawfully made available to the general public” means a licensee has taken steps and determined all of the following:

1. That the information is of the type that is available to the general public.

2. If a consumer can direct that the information may not be made available to the general public, the consumer has not done so.

(16) “Risk assessment” means the action that a licensee is required to take under § 8604(c) of this title.

(17) “State”, if capitalized, means the State of Delaware.

(18) “Third-party service provider” means a person who is not a licensee and who contracts with a licensee to maintain, process, store, or otherwise is permitted access to nonpublic information through the person’s provision of services to the licensee.

§ 8604. Information security program.

(a) Implementation of an information security program.

(1) A licensee shall develop, implement, and maintain a comprehensive, written information security program that is based on the licensee’s risk assessment and contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system.

(2) An information security program under this section must be commensurate with the size and complexity of a licensee; the nature and scope of a licensee’s activities, including the licensee’s use of a third-party service provider; and the sensitivity of the nonpublic information that the licensee uses or has in the licensee’s possession, custody, or control.

(b) Objectives of information security program. A licensee’s information security program must be designed to do all of the following:

(1) Protect the security and confidentiality of nonpublic information and the security of the information system.

(2) Protect against threats or hazards to the security or integrity of nonpublic information and the information system.

(3) Protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to a consumer.

(4) Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when retention of the nonpublic information is no longer needed.

(1) Designate 1 or more employees, an affiliate, or an outside vendor designated to act on the licensee’s behalf and be responsible for managing and overseeing the information security program.

(2) Identify reasonably-foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including the security of an information system or nonpublic information that a third-party service provider has access to or holds.

(3) Assess the likelihood and potential damage of a threat identified under paragraph (c)(2) of this section, taking into consideration the sensitivity of the nonpublic information.

(4) Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage a threat identified under paragraph (c)(2) of this section, including consideration of threats in each relevant area of the licensee’s operations, including all of the following:

a. Employee training and management.

b. An information system, including network and software design and information classification, governance, processing, storage, transmission, and disposal.

c. Detecting, preventing, and responding to an attack, intrusion, or other system failure.

(5) Implement information safeguards to manage the threats identified in the licensee’s ongoing assessment under paragraph (c)(2) of this section and, at least annually, assess the effectiveness of the safeguards’ key controls, systems, and procedures.

(d) Risk management. Based on a licensee’s risk assessment, the licensee shall do all of the following:

(1) Design an information security program to mitigate the identified risks, commensurate with all of the following:

a. The licensee’s size and complexity.

b. The nature and scope of the licensee’s activities, including the licensee’s use of a third-party service provider.

c. The sensitivity of the nonpublic information that the licensee uses or has in the licensee’s possession, custody, or control.

(2) Determine if a security measure listed in paragraphs (d)(2)a. through k. of this section is appropriate and implement each appropriate security measure.

a. Place an access control on an information system, including a control to authenticate and permit access only to an authorized individual to protect against the unauthorized acquisition of nonpublic information.

b. Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization’s risk strategy.

c. Restrict physical access to nonpublic information to authorized individuals only.

d. Protect by encryption or other appropriate means all nonpublic information while the nonpublic information is transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media.

e. Adopt both of the following:

1. Secure development practices for an application that a licensee uses and was developed in-house.

2. Procedures for evaluating, assessing, or testing the security of an application that a licensee uses and was developed externally.

f. Modify the information system in accordance with the licensee’s information security program.

g. Utilize effective controls, which may include multi-factor authentication procedures for employees or authorized individuals accessing nonpublic information.

h. Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions, into an information system.

i. Include audit controls within the information security program designed to do both of the following:

1. Detect and respond to a cybersecurity event.

2. Reconstruct material financial transactions sufficient to support the licensee’s normal operations and obligations.

j. Implement measures to protect against the destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage, other catastrophes, or technological failures.

k. Develop, implement, and maintain procedures for the secure disposal of nonpublic information in any format.

(3) Include cybersecurity risks in the licensee’s enterprise risk management process.

(4) Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared.

(5) Provide the licensee’s personnel with cybersecurity awareness training that is updated as necessary to reflect risks that the licensee identified in the licensee’s risk assessment under this section.

(e) Oversight by board of directors. If a licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum, do all of the following:

(1) Require the licensee’s executive management or its delegates to develop, implement, and maintain the licensee’s information security program.

(2) Require the licensee’s executive management or its delegates to report in writing at least annually all of the following information:

a. The overall status of the information security program and the licensee’s compliance with this chapter.

b. Material matters related to the information security program, including addressing issues such as the following:

1. Risk assessment, risk management, and control decisions.

2. Third-party service provider arrangements.

3. Results of testing.

4. Cybersecurity events or violations and management’s responses to the events.

5. Recommendations for changes in the information security program.

(3) If executive management delegates any of its responsibilities under § 8604 of this title, all of the following must occur:

a. Executive management shall oversee the development, implementation, and maintenance of the licensee’s information security program that the delegate prepares.

b. The delegate shall submit to executive management a report that complies with the requirements of the report to the board of directors under paragraph (e)(2) of this section.

(f) Oversight of third-party service provider arrangements.

(1) A licensee shall exercise due diligence in selecting a third-party service provider.

(2) A licensee shall require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information system and nonpublic information that the third-party service provider has access to or holds. The third-party service provider is not considered to have access to or hold encrypted nonpublic information for purposes of this section if the associated protective process or key necessary to assign meaning to the nonpublic information is not within the third-party service provider’s possession.

(g) Program adjustments. A licensee shall monitor, evaluate, and adjust as appropriate the information security program consistent with all of the following:

(1) Relevant changes in technology.

(2) The sensitivity of the licensee’s nonpublic information.

(3) Internal or external threats to information.

(4) The licensee’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

(h) Incident response plan.

(1) As part of a licensee’s information security program, the licensee shall establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of any of the following:

a. Nonpublic information in the licensee’s possession.

b. The licensee’s information system.

c. The continuing functionality of any aspect of the licensee’s business or operations.

(2) An incident response plan under this section must address all of the following areas:

a. The internal process for responding to a cybersecurity event.

b. The goals of the incident response plan.

c. The definition of clear roles, responsibilities, and levels of decision-making authority.

d. External and internal communications and information sharing.

e. Identification of requirements for the remediation of any identified weaknesses in an information system and associated controls.

f. Documentation and reporting regarding cybersecurity events and related incident response activities.

g. As necessary, the evaluation and revision of the incident response plan following a cybersecurity event.

(i) Annual certification to the Commissioner of Domiciliary State. An insurer domiciled in this State shall do all of the following:

(1) Submit annually to the Commissioner a written statement by February 15, certifying that the insurer is in compliance with the requirements under in this section.

(2) Maintain for the Department’s examination all records, schedules, and data supporting a certificate under this paragraph (i) of this section for a period of 5 years.

(3) To the extent an insurer has identified an area, system, or process that requires material improvement, updating, or redesign, document the identification and the remedial effort planned and underway to address the identified area, system, or process. Documentation under this paragraph (i)(3) of this section must be available for the Commissioner’s inspection.

§ 8605. Investigation of a cybersecurity event.

(a) If a licensee learns that a cybersecurity event has or may have occurred, the licensee, or an outside vendor or service provider designated to act on behalf of the licensee, shall conduct a prompt investigation.

(b) During an investigation under this section, the licensee, or an outside vendor or service provider designated to act on behalf of the licensee, shall, at a minimum, do as much of the following as possible:

(1) Determine whether a cybersecurity event has occurred.

(2) Assess the nature and scope of the cybersecurity event.

(3) Identify the nonpublic information that may have been involved in the cybersecurity event.

(4) Perform or oversee reasonable measures to restore the security of the information system compromised in the cybersecurity event to prevent further unauthorized acquisition, release, or use of nonpublic information that is in the licensee’s possession, custody, or control.

(c) If a licensee provides nonpublic information to a third-party service provider and learns that a cybersecurity event has or may have occurred in a system that the third-party service provider maintains, the licensee shall complete the steps listed in § 8605(b) of this title or make reasonable efforts to confirm and document that the third-party service provider has completed the steps.

(d) A licensee shall maintain records concerning a cybersecurity event for a period of at least 5 years from the date of the cybersecurity event and shall produce those records upon the Commissioner’s demand.

§ 8606. Notification of a cybersecurity event.

(a) Notification to the commissioner. A licensee shall notify the Commissioner as promptly as possible but in no event later than 3 business days from the licensee’s determination that a cybersecurity event has occurred if either of the following criteria has been met:

(1) The licensee is an insurer who is domiciled in this State or a producer whose home state is this State, as “home state” is defined under Chapter 17 of this title, and the cybersecurity event results in any of the following:

a. A reasonable likelihood of materially harming a consumer.

b. A reasonable likelihood of materially harming any material part of the licensee’s normal operation.

c. The licensee is required to provide notice of the cybersecurity event to a government body, self-regulatory agency, or other supervisory body under state or federal law.

(2) The licensee reasonably believes that the nonpublic information involved is regarding 250 or more consumers and either of the following apply:

a. The cybersecurity event impacts a licensee that is required to provide notice to a government body, self-regulatory agency, or other supervisory body under state or federal law.

b. The cybersecurity event has a reasonable likelihood of materially harming either of the following:

1. A consumer.

2. A material part of the licensee’s normal operations.

(b) Notice requirements.

(1)a. If notice to the Commissioner is required under subsection (a) of this section, a licensee shall provide the information in a form as directed by the Commissioner.

b. A licensee has a continuing obligation to update and supplement initial and subsequent notifications to the Commissioner regarding material changes to previously-provided information relating to a cybersecurity event.

(2) A licensee shall provide as much of the following information as possible:

a. Date of the cybersecurity event.

b. Description of how the information was exposed, lost, stolen, or breached, including the specific role and responsibility of a third-party service provider, if any.

c. How the cybersecurity event was discovered.

d. Whether any lost, stolen, or breached information has been recovered and, if so, how it was lost, stolen, or breached.

e. The identity of the source of the cybersecurity event.

f. Whether the licensee has filed a police report or notified a regulatory, government, or law enforcement agency and, if so, when the notification was provided.

g. Description of the specific types of information acquired without authorization. For the purposes of this paragraph (b)(2)g. of this section, “specific types of information” means particular data elements, including medical information, financial information, or information allowing identification of a consumer.

h. The period during which the cybersecurity event compromised the information system.

i. The number of total consumers in this State who are affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the Commissioner and update the estimate with each subsequent report to the Commissioner under this section.

j. The results of an internal review identifying a lapse in either automated controls or internal procedures, or confirming that the automated controls or internal procedures were followed.

k. Description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.

l . A copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take to investigate and notify a consumer affected by a cybersecurity event.

m. The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

(c) Notification to consumers. If a licensee determines that a cybersecurity event that has a reasonable likelihood of materially harming a consumer has occurred and the event is 1 for which the licensee is required under subsection (a) of this section to notify the Commissioner, the licensee shall provide notice of the event to each affected consumer and provide a copy of the notice to the Commissioner.

(1) A licensee must provide notice under this subsection (c) of this section without unreasonable delay but no later than 60 days after determining that a cybersecurity event occurred, unless any of the following apply:

a. Federal law requires a shorter time period.

b. A law-enforcement agency determines that the notice will impede a criminal investigation and the law-enforcement agency has requested that the licensee delay notice. Delayed notice must be made after the law-enforcement agency determines, and notifies the licensee, that notice will not compromise the criminal investigation.

c. If a licensee that is otherwise required by this section to provide notice could not, through reasonable diligence, identify within 60 days of a cybersecurity event that a customer’s nonpublic information was included in the event, the licensee must provide the notice required under this section to the consumer as soon as practicable after the identification, unless the licensee provides or has provided substitute notice under § 8603(m)(4) of this title.

(2) If a cybersecurity event includes a Social Security number, a licensee shall offer to each consumer whose nonpublic information, including Social Security number, was breached or is reasonably believed to have been breached, credit monitoring services at no cost to the consumer for a period of 1 year.

a. The licensee shall provide all information necessary for the consumer to enroll in credit monitoring services and include information on how the consumer can place a credit freeze on the consumer's credit file.

b. Credit monitoring services are not required if, after an appropriate investigation, the licensee reasonably determines that the cybersecurity event is unlikely to result in harm to the consumer whose nonpublic information has been breached.

(3) If a cybersecurity event consists of a breach of email account login credentials that the licensee furnished to the consumer, including a username or email address and in combination with a password or security question and answer that permit access to an online account, the licensee may not provide notice under this section via the involved email address. The licensee must instead provide notice under this section through another method under § 8603(m) of this title or by clear and conspicuous notice delivered to the consumer online when the consumer is connected to the online account from an internet protocol address or online location from which the licensee knows the consumer customarily accesses the account.

(d) Notice regarding cybersecurity events of third-party service providers.

(1) If a cybersecurity event occurs in a system that a third-party service provider maintains and of which a licensee has become aware, the licensee shall treat the event as it would under subsection (a) of this section unless the third-party service provider provides the notice to the Commissioner under § 8606 of this title.

(2) The computation of a licensee’s deadline under this section begins on the first business day after the third-party service provider notifies the licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.

(3) Nothing in this chapter prevents or abrogates an agreement between a licensee and another licensee, a third-party service provider, or another party to fulfill the investigation requirements under § 8605 of this title or notice requirements under this section.

(e) Notice regarding cybersecurity events of reinsurers to insurers.

(1) If a cybersecurity event involves nonpublic information that is used by a licensee who is acting as an assuming insurer, or the nonpublic information is in the possession, custody, or control of a licensee who is acting as an assuming insurer and does not have a direct contractual relationship with the affected consumer, the licensee who is acting as an assuming insurer shall notify its affected ceding insurers and the Commissioner of the licensee who is acting as an assuming insurer’s state of domicile within 3 business days of determining that a cybersecurity event has occurred. A ceding insurer who has a direct contractual relationship with an affected consumer shall fulfill the consumer notification requirements under subsection (c) of this section and any other notification requirement under this section relating to a cybersecurity event.

(2) If a cybersecurity event involves nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee who is acting as an assuming insurer, the licensee who is acting as an assuming insurer shall notify the affected ceding insurer and the Commissioner of the licensee who is acting as an assuming insurer’s state of domicile within 3 business days of receiving notice from the licensee who is acting as an assuming insurer’s third-party service provider that a cybersecurity event has occurred. A ceding insurer that has a direct contractual relationship with an affected consumer shall fulfill the consumer notification requirements under subsection (c) of this section and any other notification requirement under this section relating to a cybersecurity event.

(f) Notice regarding cybersecurity events of insurers to producers of record. If a cybersecurity event for which consumer notice is required under this section involves nonpublic information that is in the possession, custody, or control of a licensee who is an insurer, or a licensee’s third-party service provider and for which a consumer accessed the insurer’s services through an independent insurance producer, the licensee shall notify the producers of record of the consumer who was affected by the cybersecurity event in a reasonable manner and at a time reasonably concurrent with the time at which notice is provided to the affected consumer. The insurer is excused from this obligation for a producer who is not authorized by law or contract to sell, solicit, or negotiate on behalf of the insurer, and in an instance in which the insurer does not have the current producer of record information for the consumer.

§ 8607. Power of Commissioner.

(a) The Commissioner may examine and investigate the affairs of a licensee to determine whether the licensee has been or is engaged in any conduct in violation of this chapter. The Commissioner’s power under this section is in addition to the powers the Commissioner has under § 318 of this title. An examination or investigation must be conducted under
‎ § 320 through § 322 of this title.

(b) If the Commissioner has reason to believe that a licensee has been or is engaged in conduct in this State that violates this chapter, the Commissioner may take necessary or appropriate action to enforce the provisions of this chapter.

§ 8608. Confidentiality.

(a)(1) Documents, materials, or other information in the Department’s control or possession that a licensee or employee or agent acting on behalf of a licensee furnished under § 8604(i) or § 8606(b)(2)b., (b)(2)c., (b)(c)d., (b)(2)e., (b)(2)h., (b)(2)j., or (b)(2)k. of this title, or that the Commissioner obtained in an examination or investigation under § 8607 of this title are confidential and privileged, and are not subject to any of the following:

a. The Freedom of Information Act, Chapter 100 of Title 29.

b. Subpoena.

c. Discovery or admissible in evidence in any private civil action.

(2) Notwithstanding paragraph (a)(1) of this section, the Commissioner may use documents, materials, or other information listed in paragraph (a)(1) of this section in the furtherance of a regulatory or legal action brought as a part of the Commissioner’s duties.

(b) Neither the Commissioner nor a person who received a document, materials, or other information listed in paragraph (a)(1) of this section while acting under the Commissioner’s authority is permitted or required to testify in a private civil action concerning the confidential document, materials, or information.

(c) In order to assist in the performance of the Commissioner’s duties under this chapter, the Commissioner may do any of the following:

(1) Share documents, materials, or other information, including a confidential and privileged documents, materials, or information subject to subsection (a) of this section, with another state, federal, or international regulatory agency; the National Association of Insurance Commissioners and its affiliates or subsidiaries; and a state, federal, and international law-enforcement authority, if the recipient agrees in writing to maintain the confidentiality and privileged status of the document, material, or other information.

(2) May receive documents, materials, or information, including otherwise confidential and privileged documents, materials, or information from the National Association of Insurance Commissioners or its affiliates or subsidiaries and from a regulatory or law-enforcement official of another foreign or domestic jurisdictions. The Commissioner shall maintain as confidential or privileged documents, materials, or information received with notice or the understanding that it is confidential or privileged under the laws of the jurisdiction that is the source of the documents, materials, or information.

(3) Share documents, materials, or other information subject to subsection (a) of this section with a third-party consultant or vendor, if the consultant agrees in writing to maintain the confidentiality and privileged status of the documents, materials, or other information.

(4) Enter into an agreement governing the sharing and use of information consistent with this subsection.

(d) A waiver of an applicable privilege or claim of confidentiality in documents, materials, or information may not occur as a result of disclosure to the Commissioner under this section or as a result of sharing as authorized in subsection (c) of this section.

(e) Nothing in this chapter prohibits the Commissioner from releasing final, adjudicated actions that are open to public inspection under the Delaware Freedom of Information Act, Chapter 100 of Title 29 to a database or other clearinghouse service that the National Association of Insurance Commissioners or its affiliates or subsidiaries maintains.

(f) Documents, materials, or other information that the National Association of Insurance Commissioners or a third-party consultant or vendor possess or controls under this chapter is confidential by law and privileged, is not subject to the Delaware Freedom of Information Act, Chapter 100 of Title 29, is not subject to subpoena, and is not subject to discovery or admissible in evidence in a private civil action.

§ 8609. Exceptions.

(a) The following exceptions apply to this chapter:

(1) A licensee with fewer than 15 employees is exempt from § 8604 of this chapter.

(2) A licensee subject to the Health Insurance Portability and Accountability Act [P.L. 104-191, as amended] that has established and maintains an information security program under the statutes, rules, regulations, procedures, or guidelines established thereunder, is considered to meet the requirements of § 8604 of this title, if the licensee is compliant with, and submits a written statement certifying its compliance, the same.

(3) A licensee’s employee, agent, representative, or designee, who is also a licensee, is exempt from § 8604 of this title and is not required to develop the employee’s, agent’s, representative’s, or designee’s own information security program to the extent that the employee, agent, representative or designee is covered by the other licensee’s information security program.

(b) Nothing in this chapter creates a duty or liability for a provider of communication services for the transmission of voice, data, or other information over its network.

(c) If a licensee ceases to qualify for an exception under this section, the licensee has 180 days to comply with this chapter.

§ 8610. Penalties. If I licensee violates this chapter, the licensee may be subject to penalties under § 329 of this title.

§ 8611. Regulations.

The Commissioner may, in accordance with § 311 of this title, promulgate regulations necessary to carry out the provisions of this chapter.

Section 2. Effective Date. This Act takes effect upon enactment. A licensee under this chapter has 1 year from [the effective date of this Act] to implement § 8604 of this title and 2 years from [the effective date of this Act] to implement
‎ § 8604(f) of this title.

SPONSOR:	Rep. Bush & Rep. Griffith & Sen. Paradee & Sen. Poore
Reps. Baumbach, Dorsey Walker, Dukes, Matthews, Seigfried, Michael Smith; Sens. Pettyjohn, Sokola