Bill Text: VA HB1334 | 2020 | Regular Session | Enrolled


Bill Title: Insurance data security; required programs and notifications.

Spectrum: Partisan Bill (Democrat 2-0)

Status: (Enrolled) 2020-02-25 - Bill text as passed House and Senate (HB1334ER) [HB1334 Detail]

Download: Virginia-2020-HB1334-Enrolled.html

VIRGINIA ACTS OF ASSEMBLY -- CHAPTER
An Act to amend and reenact §§18.2-186.6, 38.2-100, 38.2-600, 38.2-601, 38.2-602, 38.2-612.1, 38.2-612.2, 38.2-613, 38.2-614 through 38.2-618, 38.2-4214, 38.2-4319, 38.2-4408, and 38.2-4509 of the Code of Virginia; to amend the Code of Virginia by adding in Chapter 6 of Title 38.2 an article numbered 2, consisting of sections numbered 38.2-621 through 38.2-629; and to repeal §§38.2-613.2 and 38.2-620 of the Code of Virginia, relating to insurance data security; required programs and notifications.
[H 1334]
Approved

Be it enacted by the General Assembly of Virginia:

1. That §§18.2-186.6, 38.2-100, 38.2-600, 38.2-601, 38.2-602, 38.2-612.1, 38.2-612.2, 38.2-613, 38.2-614 through 38.2-618, 38.2-4214, 38.2-4319, 38.2-4408, and 38.2-4509 of the Code of Virginia are amended and reenacted and to amend the Code of Virginia by adding in Chapter 6 of Title 38.2 an article numbered 2, consisting of sections numbered 38.2-621 through 38.2-629, as follows:

§18.2-186.6. Breach of personal information notification.

A. As used in this section:

"Breach of the security of the system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth. Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.

"Encrypted" means the transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key, or the securing of the information by another method that renders the data elements unreadable or unusable.

"Entity" includes corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies, or instrumentalities or any other legal entity, whether for profit or not for profit.

"Financial institution" has the meaning given that term in 15 U.S.C. §6809(3).

"Individual" means a natural person.

"Notice" means:

1. Written notice to the last known postal address in the records of the individual or entity;

2. Telephone notice;

3. Electronic notice; or

4. Substitute notice, if the individual or the entity required to provide notice demonstrates that the cost of providing notice will exceed $50,000, the affected class of Virginia residents to be notified exceeds 100,000 residents, or the individual or the entity does not have sufficient contact information or consent to provide notice as described in subdivisions 1, 2, or 3 of this definition. Substitute notice consists of all of the following:

a. E-mail notice if the individual or the entity has e-mail addresses for the members of the affected class of residents;

b. Conspicuous posting of the notice on the website of the individual or the entity if the individual or the entity maintains a website; and

c. Notice to major statewide media.

Notice required by this section shall not be considered a debt communication as defined by the Fair Debt Collection Practices Act in 15 U.S.C. §1692a.

Notice required by this section shall include a description of the following:

(1) The incident in general terms;

(2) The type of personal information that was subject to the unauthorized access and acquisition;

(3) The general acts of the individual or entity to protect the personal information from further unauthorized access;

(4) A telephone number that the person may call for further information and assistance, if one exists; and

(5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

"Personal information" means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted:

1. Social security number;

2. Driver's license number or state identification card number issued in lieu of a driver's license number;

3. Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial accounts;

4. Passport number; or

5. Military identification number.

The term does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.

"Redact" means alteration or truncation of data such that no more than the following are accessible as part of the personal information:

1. Five digits of a social security number; or

2. The last four digits of a driver's license number, state identification card number, or account number.

B. If unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes, or the individual or entity reasonably believes has caused or will cause, identity theft or another fraud to any resident of the Commonwealth, an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay. Notice required by this section may be reasonably delayed to allow the individual or entity to determine the scope of the breach of the security of the system and restore the reasonable integrity of the system. Notice required by this section may be delayed if, after the individual or entity notifies a law-enforcement agency, the law-enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation, or homeland or national security. Notice shall be made without unreasonable delay after the law-enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security.

C. An individual or entity shall disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such a breach has caused or will cause identity theft or other fraud to any resident of the Commonwealth.

D. An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system without unreasonable delay following discovery of the breach of the security of the system, if the personal information was accessed and acquired by an unauthorized person or the individual or entity reasonably believes the personal information was accessed and acquired by an unauthorized person.

E. In the event an individual or entity provides notice to more than 1,000 persons at one time pursuant to this section, the individual or entity shall notify, without unreasonable delay, the Office of the Attorney General and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. §1681a (p), of the timing, distribution, and content of the notice.

F. An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information that are consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if it notifies residents of the Commonwealth in accordance with its procedures in the event of a breach of the security of the system.

G. An entity that is subject to Title V of the Gramm-Leach-Bliley Act (15 U.S.C. §6801 et seq.) and maintains procedures for notification of a breach of the security of the system in accordance with the provision of that Act and any rules, regulations, or guidelines promulgated thereto shall be deemed to be in compliance with this section.

H. An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the entity's primary or functional state or federal regulator shall be in compliance with this section.

I. Except as provided by subsections J and K, pursuant to the enforcement duties and powers of the Office of the Attorney General, the Attorney General may bring an action to address violations of this section. The Office of the Attorney General may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation. Nothing in this section shall limit an individual from recovering direct economic damages from a violation of this section.

J. A violation of this section by a state-chartered or licensed financial institution shall be enforceable exclusively by the financial institution's primary state regulator.

K. A violation of Nothing in this section by shall apply to an individual or entity regulated by the State Corporation Commission's Bureau of Insurance shall be enforced exclusively by the State Corporation Commission.

L. The provisions of this section shall not apply to criminal intelligence systems subject to the restrictions of 28 C.F.R. Part 23 that are maintained by law-enforcement agencies of the Commonwealth and the organized Criminal Gang File of the Virginia Criminal Information Network (VCIN), established pursuant to Chapter 2 (§52-12 et seq.) of Title 52.

M. Notwithstanding any other provision of this section, any employer or payroll service provider that owns or licenses computerized data relating to income tax withheld pursuant to Article 16 (§58.1-460 et seq.) of Chapter 3 of Title 58.1 shall notify the Office of the Attorney General without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person, and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud. With respect to employers, this subsection applies only to information regarding the employer's employees, and does not apply to information regarding the employer's customers or other non-employees.

Such employer or payroll service provider shall provide the Office of the Attorney General with the name and federal employer identification number of the employer as defined in §58.1-460 that may be affected by the compromise in confidentiality. Upon receipt of such notice, the Office of the Attorney General shall notify the Department of Taxation of the compromise in confidentiality. The notification required under this subsection that does not otherwise require notification under this section shall not be subject to any other notification, requirement, exemption, or penalty contained in this section.

§38.2-100. Definitions.

As used in this title:

"Alien company" means a company incorporated or organized under the laws of any country other than the United States.

"Bureau" or "Bureau of Insurance" means the division of the Commission established to administer the insurance laws of the Commonwealth.

"Commission" means the State Corporation Commission.

"Commissioner" or "Commissioner of Insurance" means the administrative or executive officer of the division or bureau of the Commission established to administer the insurance laws of this Commonwealth Bureau.

"Company" means any association, aggregate of individuals, business, corporation, individual, joint-stock company, Lloyds type of organization, organization, partnership, receiver, reciprocal or interinsurance exchange, trustee or society.

"Domestic company" means a company incorporated or organized under the laws of this the Commonwealth.

"Foreign company" means a company incorporated or organized under the laws of the United States, or of any state other than this the Commonwealth.

"Health services plan" means any arrangement for offering or administering health services or similar or related services by a corporation licensed under Chapter 42 (§38.2-4200 et seq.).

"Insurance" means the business of transferring risk by contract wherein a person, for a consideration, undertakes (i) to indemnify another person, (ii) to pay or provide a specified or ascertainable amount of money, or (iii) to provide a benefit or service upon the occurrence of a determinable risk contingency. Without limiting the foregoing, "insurance" shall include (i) each of the classifications of insurance set forth in Article 2 (§38.2-101 et seq.) of this chapter and (ii) the issuance of group and individual contracts, certificates, or evidences of coverage by any health services plan as provided for in Chapter 42 (§38.2-4200 et seq.), health maintenance organization as provided for in Chapter 43 (§ 38.2-4300 et seq.), legal services organization or legal services plan as provided for in Chapter 44 (§38.2-4400 et seq.), dental or optometric services plan as provided for in Chapter 45 (§38.2-4500 et seq.), and dental plan organization as provided for in Chapter 61 (§38.2-6100 et seq.). "Insurance" shall not include any activity involving a home service contract that is subject to regulation pursuant to Chapter 33.1 (§59.1-434.1 et seq.) of Title 59.1; an extended service contract that is subject to regulation pursuant to Chapter 34 (§59.1-435 et seq.) of Title 59.1; a warranty made by a manufacturer, seller, lessor, or builder of a product or service; or a service agreement offered by an automobile club as defined in subsection E of §38.2-514.1.

"Insurance company" means any company engaged in the business of making contracts of insurance.

"Insurance transaction," "insurance business," and "business of insurance" include solicitation, negotiations preliminary to execution, execution of an insurance contract, and the transaction of matters subsequent to execution of the contract and arising out of it.

"Insurer" means an insurance company.

"Medicare" means the "Health Insurance for the Aged Act," Title XVIII of the Social Security Amendment of 1965, as amended.

"Person" means any association, aggregate of individuals, business, company, corporation, individual, joint-stock company, Lloyds type of organization, organization, partnership, receiver, reciprocal or interinsurance exchange, trustee or society.

"Rate" or "rates" means any rate of premium, policy fee, membership fee or any other charge made by an insurer for or in connection with a contract or policy of insurance. The terms "rate" or "rates" shall not include a membership fee paid to become a member of an organization or association, one of the benefits of which is the purchasing of insurance coverage.

"Rate service organization" means any organization or person, other than a joint underwriting association under §38.2-1915 or any employee of an insurer including those insurers under common control or management, who assists insurers in ratemaking or filing by:

(a) Collecting, compiling, and furnishing loss or expense statistics;

(b) Recommending, making or filing rates or supplementary rate information; or

(c) Advising about rate questions, except as an attorney giving legal advice.

"State" means any commonwealth, state, territory, district or insular possession of the United States.

"Surplus to policyholders" means the excess of total admitted assets over the liabilities of an insurer, and shall be the sum of all capital and surplus accounts, including any voluntary reserves, minus any impairment of all capital and surplus accounts.

Without otherwise limiting the meaning of or defining the following terms, "insurance contracts" or "insurance policies" shall include contracts of fidelity, indemnity, guaranty and suretyship.

Article 1.
Collection, Use, and Dissemination of Information.

§38.2-600. Purposes.

The purposes of this chapter article are to:

1. Establish standards for the collection, use, and disclosure of information gathered in connection with insurance transactions by insurance institutions, agents or insurance-support organizations;

2. Maintain a balance between the need for information by those conducting the business of insurance and the public's need for fairness in insurance information practices, including the need to minimize intrusiveness;

3. Establish a regulatory mechanism to enable natural persons to ascertain what information is being or has been collected about them in connection with insurance transactions and to have access to such information for the purpose of verifying or disputing its accuracy;

4. Limit the disclosure of information collected in connection with insurance transactions; and

5. Enable insurance applicants and policyholders to obtain the reasons for any adverse underwriting decision.

§38.2-601. Application of article.

A. The obligations imposed by this chapter article shall apply to those insurance institutions, agents or insurance-support organizations that:

1. In the case of life or accident and sickness insurance:

a. Collect, receive or maintain information in connection with insurance transactions that pertains to natural persons who are residents of this the Commonwealth; or

b. Engage in insurance transactions with applicants, individuals, or policyholders who are residents of this the Commonwealth; and

2. In the case of property or casualty insurance:

a. Collect, receive or maintain information in connection with insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in this the Commonwealth; or

b. Engage in insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in this the Commonwealth.

B. The rights granted by this chapter article shall extend to:

1. In the case of life or accident and sickness insurance, the following persons who are residents of this the Commonwealth:

a. Natural persons who are the subject of information collected, received or maintained in connection with insurance transactions; and

b. Applicants, individuals or policyholders who engage in or seek to engage in insurance transactions; and

2. In the case of property or casualty insurance, the following persons:

a. Natural persons who are the subject of information collected, received or maintained in connection with insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in this the Commonwealth; and

b. Applicants, individuals, or policyholders who engage in or seek to engage in insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in this the Commonwealth.

C. For purposes of this section, a person shall be considered a resident of this the Commonwealth if the person's last known mailing address, as shown in the records of the insurance institution, agent or insurance-support organization, is located in this the Commonwealth.

D. Notwithstanding subsections A and B of this section, this chapter article shall not apply to information collected from the public records of a governmental authority and maintained by an insurance institution or its representatives for the purpose of insuring the title to real property located in this the Commonwealth.

E. The provisions of this chapter article shall apply only to insurance purchased primarily for personal, family or household purposes.

§38.2-602. Definitions.

As used in this chapter article:

"Adverse underwriting decision" means:

1. Any of the following actions with respect to insurance transactions involving insurance coverage that is individually underwritten:

a. A declination of insurance coverage;

b. A termination of insurance coverage;

c. Failure of an agent to apply for insurance coverage with a specific insurance institution that an agent represents and that is requested by an applicant;

d. In the case of a property or casualty insurance coverage:

(1) Placement by an insurance institution or agent of a risk with a residual market mechanism or an unlicensed insurer; or

(2) The charging of a higher rate on the basis of information that differs from that which the applicant or policyholder furnished; or

e. In the case of a life or accident and sickness insurance coverage, an offer to insure at higher than standard rates, or with limitations, exceptions or benefits other than those applied for.

2. Notwithstanding subdivision 1 of this definition, the following actions shall not be considered adverse underwriting decisions, but the insurance institution or agent responsible for their occurrence shall provide the applicant or policyholder with the specific reason or reasons for their occurrence:

a. The termination of an individual policy form on a class or statewide basis;

b. A declination of insurance coverage solely because such coverage is not available on a class or statewide basis;

c. The rescission of a policy.

"Affiliate" or "affiliated" means a person that directly, or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with another person.

"Agent" shall have the meaning as set forth in § 38.2-1800 and shall include surplus lines brokers.

"Applicant" means any person who seeks to contract for insurance coverage other than a person seeking group insurance that is not individually underwritten.

"Clear and conspicuous notice" means a notice that is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.

"Consumer report" means any written, oral, or other communication of information bearing on a natural person's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living that is used or expected to be used in connection with an insurance transaction.

"Consumer reporting agency" means any person who:

1. Regularly engages, in whole or in part, in the practice of assembling or preparing consumer reports for a monetary fee;

2. Obtains information primarily from sources other than insurance institutions; and

3. Furnishes consumer reports to other persons.

"Control," including the terms "controlled by" or "under common control with," means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract other than a commercial contract for goods or nonmanagement services, or otherwise, unless the power is the result of an official position with or corporate office held by the person.

"Declination of insurance coverage" means a denial, in whole or in part, by an insurance institution or agent of requested insurance coverage.

"Financial information" means personal information other than medical record information or records of payment for the provision of health care to an individual.

"Financial institution" means any institution the business of which is engaging in financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. §1843 (k)).

"Financial product or service" means any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. §1843 (k)).

"Individual" means any natural person who:

1. In the case of property or casualty insurance, is a past, present, or proposed named insured or certificate holder;

2. In the case of life or accident and sickness insurance, is a past, present, or proposed principal insured or certificate holder;

3. Is a past, present or proposed policyowner;

4. Is a past or present applicant;

5. Is a past or present claimant;

6. Derived, derives, or is proposed to derive insurance coverage under an insurance policy or certificate subject to this chapter article;

7. For the purposes of §§38.2-612.1 and 38.2-613, is a beneficiary of a life insurance policy;

8. For the purposes of §§38.2-612.1 and 38.2-613, is a mortgagor of a mortgage covered under a mortgage guaranty insurance policy; or

9. For the purposes of §§38.2-612.1 and 38.2-613, is an owner of property used as security for an indebtedness for which single interest insurance is required by a lender.

Notwithstanding any provision of this definition to the contrary, for purposes of §38.2-612.1, "individual" shall not include any natural person who is covered under an employee benefit plan, group or blanket insurance contract, or group annuity contract when the insurance institution or agent that provides such plan or contract: (i) furnishes the notice required under §38.2-604.1 to the employee benefit plan sponsor, group or blanket insurance contract holder, or group annuity contract holder; and (ii) does not disclose the financial information of the person to a nonaffiliated third party other than as permitted under §38.2-613.

"Institutional source" means any person or governmental entity that provides information about an individual to an agent, insurance institution or insurance-support organization, other than:

1. An agent;

2. The individual who is the subject of the information; or

3. A natural person acting in a personal capacity rather than in a business or professional capacity.

"Insurance institution" means any corporation, association, partnership, reciprocal exchange, inter-insurer, Lloyd's type of organization, fraternal benefit society, or other person engaged in the business of insurance, including health maintenance organizations, and health, legal, dental, and optometric service plans. "Insurance institution" shall not include agents or insurance-support organizations.

"Insurance-support organization" means any person who regularly engages, in whole or in part, in the practice of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including (i) the furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction or (ii) the collection of personal information from insurance institutions, agents or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation or material nondisclosure in connection with insurance underwriting or insurance claim activity. However, the following persons shall not be considered "insurance-support organizations" for purposes of this chapter article: agents, governmental institutions, insurance institutions, medical-care institutions and medical professionals.

"Insurance transaction" means any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails:

1. The determination of an individual's eligibility for an insurance coverage, benefit or payment; or

2. The servicing of an insurance application, policy, contract, or certificate.

"Investigative consumer report" means a consumer report or a portion thereof in which information about a natural person's character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with the person's neighbors, friends, associates, acquaintances, or others who may have knowledge concerning such items of information.

"Joint marketing agreement" means a formal written contract pursuant to which an insurance institution jointly offers, endorses, or sponsors a financial product or service with another financial institution.

"Life insurance" includes annuities.

"Medical-care institution" means any facility or institution that is licensed to provide health care services to natural persons, including but not limited to, hospitals, skilled nursing facilities, home-health agencies, medical clinics, rehabilitation agencies, and public-health agencies or health-maintenance organizations.

"Medical professional" means any person licensed or certified to provide health care services to natural persons, including but not limited to, a physician, dentist, nurse, chiropractor, optometrist, physical or occupational therapist, social worker, clinical dietitian, clinical psychologist, licensed professional counselor, licensed marriage and family therapist, pharmacist, or speech therapist.

"Medical-record information" means personal information that:

1. Relates to an individual's physical or mental condition, medical history, or medical treatment; and

2. Is obtained from a medical professional or medical-care institution, from the individual, or from the individual's spouse, parent, or legal guardian.

"Nonaffiliated third party" means any person who is not an affiliate of an insurance institution but does not mean (i) an agent who is selling or servicing a product on behalf of the insurance institution or (ii) a person who is employed jointly by the insurance institution and the company that is not an affiliate.

"Personal information" means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. "Personal information" includes an individual's name and address and medical-record information, but does not include (i) privileged information or (ii) any information that is publicly available.

"Policyholder" means any person who:

1. In the case of individual property or casualty insurance, is a present named insured;

2. In the case of individual life or accident and sickness insurance, is a present policyowner; or

3. In the case of group insurance that is individually underwritten, is a present group certificate holder.

"Policyholder information" means personal information about a policyholder, whether in paper, electronic, or other form, that is maintained by or on behalf of an insurance institution, agent, or insurance-support organization.

"Pretext interview" means an interview whereby a person, in an attempt to obtain information about a natural person, performs one or more of the following acts:

1. Pretends to be someone he or she is not;

2. Pretends to represent a person he or she is not in fact representing;

3. Misrepresents the true purpose of the interview; or

4. Refuses to identify himself or herself upon request.

"Privileged information" means any individually identifiable information that (i) relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual, and (ii) is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual.

"Residual market mechanism" means an association, organization, or other entity defined, described, or provided for in the Virginia Automobile Insurance Plan as set forth in §38.2-2015, or in the Virginia Property Insurance Association as set forth in Chapter 27 (§38.2-2700 et seq.) of this title.

"Termination of insurance coverage" or "termination of an insurance policy" means either a cancellation or nonrenewal of an insurance policy other than by the policyholder's request, in whole or in part, for any reason other than the failure to pay a premium as required by the policy.

"Unlicensed insurer" means an insurance institution that has not been granted a license by the Commission to transact the business of insurance in Virginia.

§38.2-612.1. Special requirements for providing financial information to nonaffiliated third parties.

A. Except as otherwise provided in §38.2-613, no insurance institution, agent, or insurance-support organization may, directly or through an affiliate, disclose to a nonaffiliated third party financial information about an individual collected or received in connection with an insurance transaction, unless:

1. The individual has been given a clear and conspicuous notice in writing, or in electronic form if the individual agrees, stating that such financial information may be disclosed to such nonaffiliated third party;

2. The individual is given an opportunity, before such financial information is initially disclosed, to direct that such information not be disclosed, and in no case shall the individual be given less than 30 days from the date of notice to direct that such information not be disclosed;

3. The individual is given a reasonable means by which to exercise the right to direct that such information not be disclosed as well as an explanation that such right may be exercised at any time and that such right remains effective until revoked by the individual; and

4. The nonaffiliated third party agrees not to disclose such financial information to any other person unless such disclosure would otherwise be permitted by this chapter article if made by the insurance institution, agent, or insurance-support organization.

B. 1. No insurance institution, agent, or insurance-support organization may disclose to a nonaffiliated third party, directly or through an affiliate, other than to a consumer reporting agency, a policy number or similar form of access number or transaction account of a policyholder or applicant for use in telemarketing, direct mail marketing or other marketing through electronic mail to an applicant or policyholder, other than to:

a. An agent or other person solely for the purpose of marketing the insurance institution's own products or services as long as the agent or other person is not authorized to directly initiate charges to the account; or

b. A participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the policyholder or applicant at the time the policyholder or applicant enters the program.

2. A policy or transaction account shall not include an account to which third parties cannot initiate charges.

C. No insurance institution or agent shall unfairly discriminate against an individual because (i) the individual has directed that his personal information not be disclosed pursuant to subsection A of this section or (ii) the individual has refused to grant authorization of the disclosure of his privileged information or medical record information by an insurance institution, agent or insurance support organization pursuant to subsection A of §38.2-613.

D. The requirements of subsection A of this section may be satisfied by providing a single notice if two or more applicants or policyholders jointly obtain or apply for an insurance product. Such notice shall allow one applicant or policyholder to direct that financial information not be disclosed to nonaffiliated third parties on behalf of all of the joint applicants or policyholders, provided that each applicant or policyholder may separately direct that his financial information not be disclosed to nonaffiliated third parties.

E. An insurance agent shall not be subject to the requirements of subsection A of this section in any instance where the insurance institution on whose behalf the agent is acting otherwise complies with the requirements contained herein, and the agent does not disclose any financial information to any person other than the insurance institution or its affiliates, or as permitted by §38.2-613.

F. An insurance agent seeking to place coverage on behalf of a current policyholder shall be deemed to be in compliance with the requirements of this section in any instance where the agent has provided the notice required by this section within the previous 12 months.

§38.2-612.2. Protection of the Fair Credit Reporting Act.

Nothing in this chapter article shall be construed to modify, limit, or supersede the operation of the federal Fair Credit Reporting Act (15 U.S.C. §1681 et seq.), and no inference shall be drawn on the basis of the provisions of this chapter article regarding whether information is transaction or experience information under Section 603 of that Act.

§38.2-613. Disclosure limitations and conditions.

A. An insurance institution, agent, or insurance-support organization shall not disclose any medical-record information or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure is with the written authorization of the individual, provided:

1. If the authorization is submitted by another insurance institution, agent, or insurance-support organization, the authorization meets the requirements of §38.2-606; or

2. If the authorization is submitted by a person other than an insurance institution, agent, or insurance-support organization, the authorization is:

a. Dated,

b. Signed by the individual, and

c. Obtained two years or less prior to the date a disclosure is sought pursuant to this subdivision.

B. Notwithstanding the provisions of subsection A of this section, an insurance institution, agent, or insurance-support organization may disclose personal or privileged information about an individual collected or received in connection with an insurance transaction, without written authorization, if the disclosure is:

1. To a person other than an insurance institution, agent, or insurance-support organization, provided the disclosure is reasonably necessary:

a. To enable that person to perform a business, professional or insurance function for the disclosing insurance institution, agent, or insurance-support organization and that person agrees not to disclose the information further without the individual's written authorization unless the further disclosure:

(1) Would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or

(2) Is reasonably necessary for that person to perform its function for the disclosing insurance institution, agent, or insurance-support organization; or

b. To enable that person to provide information to the disclosing insurance institution, agent, or insurance-support organization for the purpose of:

(1) Determining an individual's eligibility for an insurance benefit or payment; or

(2) Detecting or preventing criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with an insurance transaction; or

2. To an insurance institution, agent, or insurance-support organization, or self-insurer, provided the information disclosed is limited to that which is reasonably necessary:

a. To detect or prevent criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with insurance transactions; or

b. For either the disclosing or receiving insurance institution, agent or insurance-support organization to perform its function in connection with an insurance transaction involving the individual; or

3. To a medical-care institution or medical professional for the purpose of (i) verifying insurance coverage or benefits, (ii) informing an individual of a medical problem of which the individual may not be aware or (iii) conducting an operations or services audit, provided only that information is disclosed as is reasonably necessary to accomplish the foregoing purposes; or

4. To an insurance regulatory authority; or

5. To a law-enforcement or other government authority:

a. To protect the interests of the insurance institution, agent or insurance-support organization in preventing or prosecuting the perpetration of fraud upon it; or

b. If the insurance institution, agent, or insurance-support organization reasonably believes that illegal activities have been conducted by the individual; or

c. Upon written request of any law-enforcement agency, for all insured or claimant information in the possession of an insurance institution, agent, or insurance-support organization which relates an ongoing criminal investigation. Such insurance institution, agent, or insurance-support organization shall release such information, including, but not limited to, policy information, premium payment records, record of prior claims by the insured or by another claimant, and information collected in connection with an insurance company's investigation of an application or claim. Any information released to a law-enforcement agency pursuant to such request shall be treated as confidential criminal investigation information and not be disclosed further except as provided by law. Notwithstanding any provision in this chapter article, no insurance institution, agent, or insurance-support organization shall notify any insured or claimant that information has been requested or supplied pursuant to this section prior to notification from the requesting law-enforcement agency that its criminal investigation is completed. Within ninety days following the completion of any such criminal investigation, the law-enforcement agency making such a request for information shall notify any insurance institution, agent, or insurance-support organization from whom information was requested that the criminal investigation has been completed; or

6. Otherwise permitted or required by law; or

7. In response to a facially valid administrative or judicial order, including a search warrant or subpoena; or

8. Made for the purpose of conducting actuarial or research studies, provided:

a. No individual may be identified in any actuarial or research report, and

b. Materials allowing the individual to be identified are returned or destroyed as soon as they are no longer needed, and

c. The actuarial or research organization agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or

9. To a party or a representative of a party to a proposed or consummated sale, transfer, merger, or consolidation of all or part of the business of the insurance institution, agent, or insurance-support organization, provided:

a. Prior to the consummation of the sale, transfer, merger, or consolidation only such information is disclosed as is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger, or consolidation, and

b. The recipient agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or

10. To a nonaffiliated third party whose only use of such information will be in connection with the marketing of a nonfinancial product or service, provided:

a. No medical-record information, privileged information, or personal information relating to an individual's character, personal habits, mode of living, or general reputation is disclosed, and no classification derived from the information is disclosed,

b. The individual has been given an opportunity, in accordance with the provisions of subsection A of §38.2-612.1, to indicate that he does not want financial information disclosed for marketing purposes and has given no indication that he does not want the information disclosed, and

c. The nonaffiliated third party receiving such information agrees not to use it except in connection with the marketing of the product or service; or

11. (i) To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. §1681 et seq.) or (ii) from a consumer report reported by a consumer reporting agency; or

12. To a group policyholder for the purpose of reporting claims experience or conducting an audit of the insurance institution's or agent's operations or services, provided the information disclosed is reasonably necessary for the group policyholder to conduct the review or audit; or

13. To a professional peer review organization for the purpose of reviewing the service or conduct of a medical-care institution or medical professional; or

14. To a governmental authority for the purpose of determining the individual's eligibility for health benefits for which the governmental authority may be liable; or

15. To a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction; or

16. To a lienholder, mortgagee, assignee, lessor or other person shown on the records of an insurance institution or agent as having a legal or beneficial interest in a policy of insurance, or to persons acting in a fiduciary or representative capacity on behalf of the individual, provided that:

a. No medical record information is disclosed unless the disclosure would be permitted by this section; and

b. The information disclosed is limited to that which is reasonably necessary to permit such person to protect his interest in the policy; or

17. Necessary to effect, administer, or enforce a transaction requested or authorized by the individual, or in connection with servicing or processing an insurance product or service requested or authorized by the individual, or necessary for reinsurance purposes, or for stop loss or excess loss agreements provided for in subsection B of §38.2-109; or

18. Pursuant to any federal Health Insurance Portability and Accountability Act privacy rules promulgated by the United States Department of Health and Human Services.

C. An insurance institution, agent, or insurance-support organization may disclose information about an individual collected or received in connection with an insurance transaction, without written authorization, if the disclosure is:

1. To a nonaffiliated third party whose only use of such information will be to perform services for or functions on behalf of the insurance institution in connection with the marketing of the insurance institution's product or service or the marketing of products or services offered pursuant to a joint marketing agreement, provided:

a. No medical-record information or privileged information is disclosed without the individual's written authorization unless such disclosure is otherwise permitted by subsection B of this section,

b. With respect to financial information, the individual has been given the notice required by subsection B of §38.2-604.1, and

c. The person receiving such financial information agrees, by contract, (i) not to use it except to perform services for or functions on behalf of the insurance institution in connection with the marketing of the insurance institution's product or service or the marketing of products or services offered pursuant to a joint marketing agreement, or as permitted under subsection B of this section and (ii) to maintain the confidentiality of such information and not disclose it to any other nonaffiliated third party unless such disclosure would otherwise be permitted by this section if made by the insurance institution, agent, or insurance-support organization;

2. To an affiliate, provided:

a. No medical-record information or privileged information is disclosed without the individual's written authorization unless such disclosure is otherwise permitted by subsection B of this section, and

b. The affiliate receiving the information does not disclose the information except as would otherwise be permitted by this section if such disclosure were made by the insurance institution, agent, or insurance-support organization.

D. 1. No person proposing to issue, re-issue, or renew any policy, contract, or plan of accident and sickness insurance defined in § 38.2-109, but excluding disability income insurance, issued by any (i) insurer providing hospital, medical and surgical or major medical coverage on an expense incurred basis, (ii) corporation providing a health services plan, or (iii) health maintenance organization providing a health care plan for health care services shall disclose any genetic information about an individual or a member of such individual's family collected or received in connection with any insurance transaction unless the disclosure is made with the written authorization of the individual.

2. For the purpose of this subsection, "genetic information" means information about genes, gene products, or inherited characteristics that may derive from an individual or a family member.

3. Agents and insurance support organizations shall be subject to the provisions of this subsection to the extent of their participation in the issue, re-issue, or renewal of any policy, contract, or plan of accident and sickness insurance defined in §38.2-109, but excluding disability income insurance.

E. Any notices, disclosures, or authorizations required by this section may be provided electronically if the individual agrees.

F. Any privileged information about an individual that is disclosed in violation of this section shall be available to that individual in accordance with the provisions of §§38.2-608 and 38.2-609.

G. Except in the case of disclosures made pursuant to subdivision B 10 of this section, the requirements of subsection A of § 38.2-612.1 shall not apply when information is disclosed pursuant to this section.

§38.2-614. Powers of Commission.

A. The Commission shall have the power to examine and investigate the affairs of any insurance institution or agent doing business in this the Commonwealth to determine whether the insurance institution or agent has been or is engaged in any conduct in violation of this chapter article.

B. The Commission shall have the power to examine and investigate the affairs of any insurance-support organization that acts on behalf of an insurance institution or agent and that either (i) transacts business in this the Commonwealth, or (ii) transacts business outside this the Commonwealth and has an effect on a person residing in this the Commonwealth, in order to determine whether the insurance-support organization has been or is engaged in any conduct in violation of this chapter article.

§38.2-615. Hearings and procedures.

A. Whenever the Commission has reason to believe that an insurance institution, agent or insurance-support organization has been or is engaged in conduct in this the Commonwealth that violates this chapter article, or whenever the Commission has reason to believe that an insurance-support organization has been or is engaged in conduct outside this the Commonwealth that has an effect on a person residing in this the Commonwealth and that violates this chapter article, the Commission may issue and serve upon the insurance institution, agent, or insurance-support organization a statement of charges and notice of hearing to be held at a time and place fixed in the notice. The date for such hearing shall be at least ten days after the date of service.

B. At the time and place fixed for the hearing, the insurance institution, agent, or insurance-support organization charged shall have an opportunity to answer the charges against it and present evidence on its behalf. Upon good cause shown, the Commission shall permit any adversely affected person to intervene, appear, and be heard at the hearing by counsel or in person.

C. In all matters in connection with such investigation, charge, or hearing the Commission shall have the jurisdiction, power and authority granted or conferred upon it by Title 12.1.

§38.2-616. Service of process on insurance-support organizations.

For the purpose of this chapter article, an insurance-support organization transacting business outside this the Commonwealth that has an effect on a person residing in this the Commonwealth and which is alleged to violate this chapter article shall be deemed to have appointed the clerk of the Commission to accept service of process on its behalf. Service on the clerk shall be made in accordance with §12.1-19.1.

§38.2-617. Individual remedies.

A. If any insurance institution, agent, or insurance-support organization fails to comply with §§38.2-608, 38.2-609, or §38.2-610, any person whose rights granted under those sections are violated may apply to a court of competent jurisdiction for appropriate equitable relief.

B. An insurance institution, agent, or insurance-support organization that discloses information in violation of §38.2-613 shall be liable for damages sustained by the individual to whom the information relates. No individual, however, shall be entitled to a monetary award that exceeds the actual damages sustained by the individual as a result of a violation of § 38.2-613.

C. In any action brought pursuant to this section, the court may award the cost of the action and reasonable attorney's fees to the prevailing party.

D. An action under this section must be brought within two years from the date the alleged violation is or should have been discovered.

E. Except as specifically provided in this section, there shall be no remedy or recovery available to individuals, in law or in equity, for occurrences constituting a violation of any provision of this chapter article.

§38.2-618. Immunity of persons disclosing information.

No cause of action in the nature of defamation, invasion of privacy, or negligence shall arise against any person for disclosing personal or privileged information in accordance with this chapter article, nor shall such a cause of action arise against any person for furnishing personal or privileged information to an insurance institution, agent, or insurance-support organization. However, this section shall provide no immunity for disclosing or furnishing false information with malice or willful intent to injure any person.

Article 2.
Insurance Data Security Act.

§38.2-621. Definitions.

As used in this article:

"Authorized person" means a person known to and authorized by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems.

"Consumer" means an individual, including applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders, who is a resident of the Commonwealth and whose nonpublic information is in the possession, custody, or control of a licensee or an authorized person.

"Cybersecurity event" means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information in the possession, custody, or control of a licensee or an authorized person. "Cybersecurity event" does not include (i) the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization or (ii) an event in which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

"Encrypted" means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.

"HIPAA" means the federal Health Insurance Portability and Accountability Act (42 U.S.C. §1320d et seq.).

"Home state" means the jurisdiction in which the producer maintains its principal place of residence or principal place of business and is licensed by that jurisdiction to act as a resident insurance producer.

"Information security program" means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.

"Information system" means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system such as industrial or process control systems, telephone switching and private branch exchange systems, and environmental control systems.

"Insurance-support organization" has the same meaning as provided in §38.2-602.

"Licensee" means any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the Commonwealth. "Licensee" does not include a purchasing group or a risk retention group chartered and licensed in a state other than the Commonwealth or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

"Nonpublic information" means information that is not publicly available information and is:

1. Business-related information of a licensee the tampering with which, or the unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee;

2. Any information concerning a consumer that because of name, number, personal mark, or other identifier can be used to identify such consumer, in any combination with a consumer's (i) social security number; (ii) driver's license number or nondriver identification card number; (iii) financial account, credit card, or debit card number; (iv) security code, access code, or password that would permit access to a consumer's financial account; (v) passport number; (vi) military identification number; or (vii) biometric records; or

3. Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify a particular consumer, and that relates to (i) the past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer's family; (i) the provision of health care to any consumer; or (iii) payment for the provision of health care to any consumer.

"Nonpublic information" does not include a consumer's personally identifiable information that has been anonymized using a method no less secure than the safe harbor method under HIPAA.

"Person" means any individual or any nongovernmental entity, including any nongovernmental partnership, corporation, branch, agency, or association.

"Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law. A licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine (i) that the information is of the type that is available to the general public and (ii) whether a consumer can direct that the information not be made available to the general public and, if so, that such consumer has not done so.

"Third-party service provider" means (i) a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, or store nonpublic information, or otherwise is permitted access to nonpublic information through its provision of services to the licensee or (ii) an insurance-support organization.

§38.2-622. Private cause of action; neither created nor curtailed.

Nothing in this article shall be construed to create or imply a private cause of action for violation of its provisions, nor shall it be construed to curtail a private cause of action which would otherwise exist in the absence of this article.

§38.2-623. Information security program.

A. Commensurate with the size and complexity of the licensee; the nature and scope of the licensee's activities, including its use of third-party service providers; and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's assessment of the licensee's risk and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system.

B. Each licensee's information security program shall be designed to:

1. Protect the security and confidentiality of nonpublic information and the security of the information system;

2. Protect against any reasonably foreseeable threats or hazards to the security or integrity of nonpublic information and the information system;

3. Protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer; and

4. Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction.

C. Each licensee shall:

1. Designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee who is responsible for the information security program;

2. Design its information security program to mitigate the identified risks, commensurate with the size and complexity of the licensee; the nature and scope of the licensee's activities, including its use of third-party service providers; and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control;

3. Place access controls on information systems, including controls to authenticate and permit access only to authorized persons to protect against the unauthorized acquisition of nonpublic information;

4. At physical locations containing nonpublic information, restrict access to nonpublic information to authorized persons only;

5. Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures;

6. Develop, implement, and maintain procedures for the secure disposal of nonpublic information in any format;

7. Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; and

8. Provide its personnel with cybersecurity awareness training.

D. 1. If a licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum, require the licensee's information executive management or its delegates to (i) develop, implement, and maintain the licensee's information security program and (ii) report in writing (a) the overall status of the information security program and the licensee's compliance with this article and (b) material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations and management's responses thereto, and recommendations for changes in the information security program.

2. If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegate and shall receive a report from the delegate complying with the requirements of subdivision 1.

E. Beginning July 1, 2022, if a licensee utilizes a third-party service provider, the licensee shall:

1. Exercise due diligence in selecting its third-party service provider; and

2. Require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.

F. Each licensee shall monitor, evaluate, and adjust, as appropriate, the information security program consistent with any relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

G. As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession; the licensee's information systems; or the continuing functionality of any aspect of the licensee's business or operations. Such incident response plan shall address:

1. The internal process for responding to a cybersecurity event;

2. The goals of the incident response plan;

3. The definition of clear roles, responsibilities, and levels of decision-making authority;

4. External and internal communications and information sharing;

5. Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;

6. Documentation and reporting regarding cybersecurity events and related incident response activities; and

7. The evaluation and revision, as necessary, of the incident response plan following a cybersecurity event.

H. Beginning in 2023 and annually thereafter, each insurer domiciled in the Commonwealth shall, by February 15, submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in this section, any rules adopted pursuant to this article, and any requirements prescribed by the Commission. Each insurer shall maintain for examination by the Bureau all records, schedules, and data supporting this certificate for a period of five years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation must be available for inspection by the Commissioner.

§38.2-624. Investigation of a cybersecurity event.

A. If a licensee learns that a cybersecurity event has or may have occurred, the licensee or an investigator shall conduct a prompt investigation.

B. During the investigation, the licensee or an investigator shall, at a minimum, determine as much of the following information as possible:

1. Determine whether a cybersecurity event has occurred;

2. Assess the nature and scope of the cybersecurity event;

3. Identify any nonpublic information that may have been involved in the cybersecurity event; and

4. Perform or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event in order to prevent further unauthorized acquisition, release, or use of nonpublic information in the licensee's possession, custody, or control.

C. If a licensee learns that a cybersecurity event has or may have occurred in a system maintained by a third-party service provider, the licensee will complete the steps listed in subsection B or make reasonable efforts to confirm and document that the third-party service provider has completed those steps.

D. Each licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the Commissioner.

§38.2-625. Notice to Commissioner.

A. If a licensee has determined that a cybersecurity event has actually occurred, such licensee shall notify the Commissioner, in accordance with requirements prescribed by the Commission, as promptly as possible but in no event later than three business days from such determination if:

1. The licensee is a domestic insurance company, or in the case of a producer, the Commonwealth is the licensee's home state and the cybersecurity event meets threshold and other requirements prescribed by the Commission; or

2. The licensee reasonably believes that the nonpublic information involved is of 250 or more consumers residing in the Commonwealth or the licensee is required under federal law or the laws of another state to provide notice of the cybersecurity event to any government body, self-regulatory agency, or other supervisory body.

B. Notice provided pursuant to this section shall be in electronic form and shall include as much of the following information as possible:

1. The date of the cybersecurity event;

2. A description of how the nonpublic information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;

3. How the cybersecurity event was discovered;

4. Whether any lost, stolen, or breached information has been recovered and, if so, how this was done;

5. The identity of the source of the cybersecurity event;

6. Whether the licensee has filed a police report or has notified any regulatory, government, or law-enforcement agencies and, if so, when such notification was provided;

7. A description of the specific types of information acquired without authorization. Specific types of information include particular data elements such as medical information, financial information, or other information allowing identification of the consumer;

8. The period during which the information system was compromised by the cybersecurity event;

9. The number of consumers in the Commonwealth affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the Commissioner and update this estimate with each subsequent report to the Commissioner pursuant to this section;

10. The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;

11. A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;

12. A copy of the licensee's consumer privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and

13. The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

C. A licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the Commissioner concerning the cybersecurity event.

D. Each licensee shall notify consumers in compliance with §38.2-626, and provide a copy of the notice sent to consumers under such section to the Commissioner, when a licensee is required to notify the Commissioner under this section.

E. If there is a cybersecurity event in a system maintained by a third-party service provider, the licensee, once it has become aware of such cybersecurity event, shall treat such event as it would under this section, unless the third-party service provider provides notice in accordance with this section. The computation of a licensee's deadlines shall begin on the day after the third-party service provider notifies a licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.

F. If a cybersecurity event involves nonpublic information that is used by a licensee that is acting as an assuming insurer or is in the possession, control, or custody of a licensee that is acting as an assuming insurer or its third-party service provider and the licensee does not have a direct contractual relationship with the affected consumers, the licensee shall notify its affected ceding insurers and the head of its supervisory state agency of its state of domicile within three business days of making the determination or receiving notice from its third-party service provider that a cybersecurity event has occurred. Ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under §38.2-626 and any other notification requirements relating to a cybersecurity event imposed under this section.

G. If there is a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a licensee that is an insurer or its third-party service provider and for which a consumer accessed the insurer's services through an independent insurance producer, the insurer shall notify the producers of record of all affected consumers as soon as practicable as directed by the Commissioner. The insurer is excused from this obligation for those instances in which it does not have the current producer of record information for any individual consumer.

H. Nothing in this article shall prevent or abrogate an agreement between a licensee and another licensee, a third-party service provider, or any other party to fulfill any of the investigation requirements imposed under §38.2-624 or notice requirements imposed under this section.

§38.2-626. Notice to consumers.

A. A licensee that maintains consumers' nonpublic information shall notify the consumer of any cybersecurity event without unreasonable delay after making a determination or receiving notice the cybersecurity event has occurred, if consumers' nonpublic information was accessed and acquired by an unauthorized person or such licensee reasonably believes consumers' nonpublic information was accessed and acquired by an unauthorized person and the cybersecurity event has a reasonable likelihood of causing or has caused identity theft or other fraud to such consumers. Such notice shall include a description of the following:

1. The incident in general terms;

2. The type of nonpublic information that was subject to the unauthorized access and acquisition;

3. The general acts of the licensee to protect the consumer's nonpublic information from further unauthorized access;

4. A telephone number that the consumer may call for further information and assistance, if one exists; and

5. Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring the consumer's credit reports.

B. Notice to consumers under this section shall be given as written notice to the last known postal address in the records of the licensee, telephone notice, or electronic notice. However, if the licensee required to provide notice demonstrates that the cost of providing notice will exceed $50,000, the affected class of consumers to be notified exceeds 100,000 consumers, or the licensee does not have sufficient contact information or consent to provide notice, substitute notice may be provided. Substitute notice shall consist of (i) e-mail notice if the licensee has e-mail addresses for the members of the affected class of consumers; (ii) conspicuous posting of the notice on the website of the licensee if the licensee maintains a website; and (iii) notice to major statewide media.

C. In the event that a licensee provides notice to more than 1,000 consumers at one time pursuant to this section, the licensee shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. §1681a (p), of the timing, distribution, and content of the notice.

D. Notice required by this section shall not be considered a debt communication as defined by the Fair Debt Collection Practices Act in 15 U.S.C. §1692a.

E. Notice required by this section and §38.2-625 may be delayed if, after the person notifies a law-enforcement agency, the law-enforcement agency determines and advises the person that the notice will impede a criminal or civil investigation or jeopardize national or homeland security. Notice shall be made without unreasonable delay after the law-enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security.

F. If there is a cybersecurity event in a system maintained by a third-party service provider, the licensee, once it has become aware of such cybersecurity event, shall treat such event as it would under this section, unless the third-party service provider provides notice in accordance with this section. The computation of a licensee's deadlines shall begin on the day after the third-party service provider notifies a licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.

§38.2-627. Powers and duties of the Commission; exclusive state standards.

A. The Commissioner may examine and investigate the affairs of any licensee to determine whether a licensee has been or is engaged in any conduct in violation of this article. This power is in addition to the powers that the Commissioner has under Article 4 of Chapter 13 (38.2-1300 et seq.) and Chapter 18 (38.2-1800 et seq.). Any such investigation or examination shall be conducted pursuant to Chapters 13 and 18.

B. Whenever the Commissioner has reason to believe that a licensee has been or is engaged in conduct in the Commonwealth that violates this article, the Commissioner may take action that is necessary or appropriate to enforce the provisions of this article.

C. The Commission may examine and investigate the affairs of any insurance-support organization that acts on behalf of an insurance institution or agent as defined in §38.2-602 and that either (i) transacts business in the Commonwealth or (ii) transacts business outside the Commonwealth and has an effect on a person residing in the Commonwealth, in order to determine whether the insurance-support organization has been or is engaged in any conduct in violation of this article.

D. The Commission shall adopt rules and regulations implementing the provisions of this article.

E. This article and any rules adopted pursuant to this article establish the exclusive state standards applicable to licensees for data security, the security of nonpublic information, the investigation of cybersecurity events, and notification of cybersecurity events for those individuals and entities subject to this article.

§38.2-628. Confidentiality.

A. Any documents, materials, or other information in the control or possession of the Bureau that are furnished by a licensee or an employee or agent thereof acting on behalf of licensee pursuant to subsection H of §38.2-623 or subdivisions B 2, 3, 4, 5, 8, 10, and 11 §38.2-625, or that are obtained by the Commissioner in an investigation or examination pursuant to §38.2-627, shall be confidential by law and privileged, shall not be subject to §12.1-19, shall not be subject to subpoena, and shall not be subject to discovery or admissible in evidence in any private civil action. However, the Commissioner is authorized to use the documents, materials, or other information in the furtherance of any regulatory or legal action brought as a part of the Commissioner's duties.

B. Neither the Commissioner nor any person who received documents, materials, or other information while acting under the authority of the Commissioner shall be permitted or required to testify in any private civil action concerning any confidential documents, materials, or information subject to subsection A.

C. In order to assist in the performance of the Commissioner's duties under this article, the Commissioner may:

1. Share documents, materials, or other information, including the confidential and privileged documents, materials, or information subject to subsection A, with other state, federal, and international regulatory agencies; with the National Association of Insurance Commissioners (NAIC), its affiliates, or its subsidiaries; and with state, federal, and international law-enforcement authorities, provided that the recipient agrees in writing to maintain the confidentiality and privileged status of the documents, materials, or other information;

2. Receive documents, materials, or information, including otherwise confidential and privileged documents, materials, or information, from the NAIC, its affiliates, or its subsidiaries and from regulatory and law-enforcement officials of other foreign or domestic jurisdictions, and shall maintain as confidential or privileged any documents, materials, or information received with notice or the understanding that it is confidential or privileged under the laws of the jurisdiction that is the source of the documents, materials, or information;

3. Share documents, materials, or other information subject to subsection A with a third-party consultant or vendor provided the consultant agrees in writing to maintain the confidentiality and privileged status of the documents, materials, or other information; and

4. Enter into agreements governing sharing and use of information consistent with this subsection.

D. No waiver of any applicable privilege or claim of confidentiality in the documents, materials, or information shall occur as a result of disclosure to the Commissioner under this section or as a result of sharing as authorized in subsection C.

E. Documents, materials, or other information in the possession or control of the NAIC or a third-party consultant or vendor as a result of an examination or investigation pursuant to subsection H of § 38.2-623 or subdivisions B 2, 3, 4, 5, 8, 10, and 11 of §38.2-625 shall be confidential by law and privileged, shall not be subject to §12.1-19, shall not be subject to subpoena, and shall not be subject to discovery in any private civil action.

F. Nothing in this article shall prohibit the Commissioner from releasing final, adjudicated actions that are open to public inspection to a database or other clearinghouse service maintained by the NAIC, its affiliates, or its subsidiaries.

§38.2-629. Exceptions.

A. The following exceptions shall apply to this article:

1. A licensee subject to HIPAA that has established and maintains an information security program pursuant to such statutes, rules, regulations, or procedures established thereunder shall be considered to meet the requirements of §38.2-623, provided that licensee is compliant with, and submits a written statement certifying its compliance with, the same, and certifies that it will protect nonpublic information not subject to HIPAA in the same manner it protects information that is subject to HIPAA, and any such licensee that investigates a cybersecurity event and notifies consumers in accordance with HIPAA and any HIPAA-established rules, regulations, or procedures shall be considered compliant with the requirements of §§38.2-624 and 38.2-626.

2. An employee, agent, representative or designee of a licensee, who is also a licensee, is exempt from §§38.2-623, 38.2-624, 38.2-625, and 38.2-626 and need not develop its own information security program or conduct an investigation of or provide notices to the Commissioner and consumers relating to a cybersecurity event, to the extent that the employee, agent, representative, or designee is covered by the information security program, investigation, and notification obligations of the other licensee.

3. A licensee affiliated with a depository institution that maintains an information security program in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Interagency Guidelines) as set forth pursuant to §§501 and 505 of the federal Gramm-Leach-Bliley Act, P.L. 106-102, shall be considered to meet the requirements of §38.2-623 and any rules, regulations, or procedures established thereunder, provided that the licensee produces, upon request, documentation satisfactory to the Commissioner that independently validates the affiliated depository institution's adoption of an information security program that satisfies the Interagency Guidelines.

B. If a licensee ceases to qualify for an exception, such licensee shall have 180 days from the date it ceases to qualify to comply with this article.

§38.2-4214. Application of certain provisions of law.

No provision of this title except this chapter and, insofar as they are not inconsistent with this chapter, §§38.2-200, 38.2-203, 38.2-209 through 38.2-213, 38.2-218 through 38.2-225, 38.2-230, 38.2-232, 38.2-305, 38.2-316, 38.2-316.1, 38.2-322, 38.2-325, 38.2-326, 38.2-400, 38.2-402 through 38.2-413, 38.2-500 through 38.2-515, 38.2-600 through 38.2-620 38.2-629, 38.2-700 through 38.2-705, 38.2-900 through 38.2-904, 38.2-1017, 38.2-1018, 38.2-1038, 38.2-1040 through 38.2-1044, Articles 1 (§38.2-1300 et seq.) and 2 (§38.2-1306.2 et seq.) of Chapter 13, §§38.2-1312, 38.2-1314, 38.2-1315.1, 38.2-1317 through 38.2-1328, 38.2-1334, 38.2-1340, 38.2-1400 through 38.2-1442, 38.2-1446, 38.2-1447, 38.2-1800 through 38.2-1836, 38.2-3400, 38.2-3401, 38.2-3404, 38.2-3405, 38.2-3405.1, 38.2-3406.1, 38.2-3406.2, 38.2-3407.1 through 38.2-3407.6:1, 38.2-3407.9 through 38.2-3407.20, 38.2-3409, 38.2-3411 through 38.2-3419.1, 38.2-3430.1 through 38.2-3454, Article 8 (§38.2-3461 et seq.) of Chapter 34, 38.2-3501, 38.2-3502, subdivision 13 of §38.2-3503, subdivision 8 of §38.2-3504, §§38.2-3514.1, 38.2-3514.2, §§38.2-3516 through 38.2-3520 as they apply to Medicare supplement policies, §§38.2-3522.1 through 38.2-3523.4, 38.2-3525, 38.2-3540.1, 38.2-3541 through 38.2-3542, 38.2-3543.2, Article 5 (§38.2-3551 et seq.) of Chapter 35, Chapter 35.1 (§38.2-3556 et seq.), §§38.2-3600 through 38.2-3607, Chapter 52 (§ 38.2-5200 et seq.), Chapter 55 (§38.2-5500 et seq.), and Chapter 58 (§ 38.2-5800 et seq.) of this title shall apply to the operation of a plan.

§38.2-4319. Statutory construction and relationship to other laws.

A. No provisions of this title except this chapter and, insofar as they are not inconsistent with this chapter, §§38.2-100, 38.2-136, 38.2-200, 38.2-203, 38.2-209 through 38.2-213, 38.2-216, 38.2-218 through 38.2-225, 38.2-229, 38.2-232, 38.2-305, 38.2-316, 38.2-316.1, 38.2-322, 38.2-325, 38.2-326, 38.2-400, 38.2-402 through 38.2-413, 38.2-500 through 38.2-515, 38.2-600 through 38.2-620 38.2-629, Chapter 9 (§ 38.2-900 et seq.), §§38.2-1016.1 through 38.2-1023, 38.2-1057, 38.2-1306.1, Article 2 (§38.2-1306.2 et seq.), §38.2-1315.1, Articles 3.1 (§38.2-1316.1 et seq.), 4 (§38.2-1317 et seq.), 5 (§38.2-1322 et seq.), 5.1 (§38.2-1334.3 et seq.), and 5.2 (§38.2-1334.11 et seq.) of Chapter 13, Articles 1 (§38.2-1400 et seq.), 2 (§38.2-1412 et seq.), and 4 (§38.2-1446 et seq. ) of Chapter 14, Chapter 15 (§38.2-1500 et seq.), Chapter 17 (§38.2-1700 et seq.), §§ 38.2-1800 through 38.2-1836, 38.2-3401, 38.2-3405, 38.2-3405.1, 38.2-3406.1, 38.2-3407.2 through 38.2-3407.6:1, 38.2-3407.9 through 38.2-3407.20, 38.2-3411, 38.2-3411.2, 38.2-3411.3, 38.2-3411.4, 38.2-3412.1, 38.2-3414.1, 38.2-3418.1 through 38.2-3418.17, 38.2-3419.1, 38.2-3430.1 through 38.2-3454, Article 8 (§ 38.2-3461 et seq.) of Chapter 34, 38.2-3500, subdivision 13 of §38.2-3503, subdivision 8 of §38.2-3504, §§38.2-3514.1, 38.2-3514.2, 38.2-3522.1 through 38.2-3523.4, 38.2-3525, 38.2-3540.1, 38.2-3540.2, 38.2-3541.2, 38.2-3542, 38.2-3543.2, Article 5 (§38.2-3551 et seq.) of Chapter 35, Chapter 35.1 (§ 38.2-3556 et seq.), Chapter 52 (§38.2-5200 et seq.), Chapter 55 (§38.2-5500 et seq.), and Chapter 58 (§38.2-5800 et seq.) shall be applicable to any health maintenance organization granted a license under this chapter. This chapter shall not apply to an insurer or health services plan licensed and regulated in conformance with the insurance laws or Chapter 42 (§38.2-4200 et seq.) except with respect to the activities of its health maintenance organization.

B. For plans administered by the Department of Medical Assistance Services that provide benefits pursuant to Title XIX or Title XXI of the Social Security Act, as amended, no provisions of this title except this chapter and, insofar as they are not inconsistent with this chapter, §§ 38.2-100, 38.2-136, 38.2-200, 38.2-203, 38.2-209 through 38.2-213, 38.2-216, 38.2-218 through 38.2-225, 38.2-229, 38.2-232, 38.2-322, 38.2-325, 38.2-400, 38.2-402 through 38.2-413, 38.2-500 through 38.2-515, 38.2-600 through 38.2-620 38.2-629, Chapter 9 (§38.2-900 et seq.), §§38.2-1016.1 through 38.2-1023, 38.2-1057, 38.2-1306.1, Article 2 (§38.2-1306.2 et seq.), § 38.2-1315.1, Articles 3.1 (§38.2-1316.1 et seq.), 4 (§38.2-1317 et seq.), 5 (§38.2-1322 et seq.), 5.1 (§38.2-1334.3 et seq.), and 5.2 (§38.2-1334.11 et seq.) of Chapter 13, Articles 1 (§38.2-1400 et seq.), 2 (§38.2-1412 et seq.), and 4 (§38.2-1446 et seq.) of Chapter 14, §§38.2-3401, 38.2-3405, 38.2-3407.2 through 38.2-3407.5, 38.2-3407.6, 38.2-3407.6:1, 38.2-3407.9, 38.2-3407.9:01, and 38.2-3407.9:02, subdivisions F 1, F 2, and F 3 of §38.2-3407.10, §§ 38.2-3407.11, 38.2-3407.11:3, 38.2-3407.13, 38.2-3407.13:1, 38.2-3407.14, 38.2-3411.2, 38.2-3418.1, 38.2-3418.2, 38.2-3419.1, 38.2-3430.1 through 38.2-3437, 38.2-3500, subdivision 13 of §38.2-3503, subdivision 8 of §38.2-3504, §§38.2-3514.1, 38.2-3514.2, 38.2-3522.1 through 38.2-3523.4, 38.2-3525, 38.2-3540.1, 38.2-3540.2, 38.2-3541.2, 38.2-3542, 38.2-3543.2, Chapter 52 (§ 38.2-5200 et seq.), Chapter 55 (§38.2-5500 et seq.), and Chapter 58 (§ 38.2-5800 et seq.) shall be applicable to any health maintenance organization granted a license under this chapter. This chapter shall not apply to an insurer or health services plan licensed and regulated in conformance with the insurance laws or Chapter 42 (§38.2-4200 et seq.) except with respect to the activities of its health maintenance organization.

C. Solicitation of enrollees by a licensed health maintenance organization or by its representatives shall not be construed to violate any provisions of law relating to solicitation or advertising by health professionals.

D. A licensed health maintenance organization shall not be deemed to be engaged in the unlawful practice of medicine. All health care providers associated with a health maintenance organization shall be subject to all provisions of law.

E. Notwithstanding the definition of an eligible employee as set forth in §38.2-3431, a health maintenance organization providing health care plans pursuant to §38.2-3431 shall not be required to offer coverage to or accept applications from an employee who does not reside within the health maintenance organization's service area.

F. For purposes of applying this section, "insurer" when used in a section cited in subsections A and B shall be construed to mean and include "health maintenance organizations" unless the section cited clearly applies to health maintenance organizations without such construction.

§38.2-4408. Application of certain provisions.

No provision of this title except this chapter and insofar as they are not inconsistent with this chapter §§38.2-100, 38.2-200, 38.2-203, 38.2-209 through 38.2-213, 38.2-218 through 38.2-225, 38.2-229, 38.2-316, 38.2-400, 38.2-402 through 38.2-413, 38.2-500 through 38.2-515, 38.2-600 through 38.2-620 38.2-629, 38.2-700 through 38.2-704, 38.2-800 through 38.2-806, 38.2-1038, 38.2-1040 through 38.2-1044, and Articles 1 (§ 38.2-1300 et seq.), 2 (§38.2-1306.2 et seq.), and 4 (§38.2-1317 et seq.) of Chapter 13, insofar as they are not inconsistent with this chapter, and § 58.1-2500 et seq. shall apply to the operation of a plan.

§38.2-4509. Application of certain laws.

A. No provision of this title except this chapter and, insofar as they are not inconsistent with this chapter, §§38.2-200, 38.2-203, 38.2-209 through 38.2-213, 38.2-218 through 38.2-225, 38.2-229, 38.2-316, 38.2-326, 38.2-400, 38.2-402 through 38.2-413, 38.2-500 through 38.2-515, 38.2-600 through 38.2-620 38.2-629, 38.2-900 through 38.2-904, 38.2-1038, 38.2-1040 through 38.2-1044, Articles 1 (§38.2-1300 et seq.) and 2 (§ 38.2-1306.2 et seq.) of Chapter 13, §§38.2-1312, 38.2-1314, 38.2-1315.1, Articles 4 (§38.2-1317 et seq.), 5 (§38.2-1322 et seq.), and 6 (§38.2-1335 et seq.) of Chapter 13, §§38.2-1400 through 38.2-1442, 38.2-1446, 38.2-1447, 38.2-1800 through 38.2-1836, 38.2-3401, 38.2-3404, 38.2-3405, 38.2-3407.1, 38.2-3407.4, 38.2-3407.10, 38.2-3407.13, 38.2-3407.14, 38.2-3407.15, 38.2-3407.17, 38.2-3407.17:1, 38.2-3407.19, 38.2-3415, 38.2-3541, Article 5 (§ 38.2-3551 et seq.) of Chapter 35, §§38.2-3600 through 38.2-3603, Chapter 55 (§ 38.2-5500 et seq.), and Chapter 58 (§38.2-5800 et seq.) shall apply to the operation of a plan.

B. The provisions of subsection A of §38.2-322 shall apply to an optometric services plan. The provisions of subsection C of §38.2-322 shall apply to a dental services plan.

C. The provisions of Article 1.2 (§32.1-137.7 et seq.) of Chapter 5 of Title 32.1 shall not apply to either an optometric or dental services plan.

D. The provisions of §38.2-3407.1 shall apply to claim payments made on or after January 1, 2014. No optometric or dental services plan shall be required to pay interest computed under §38.2-3407.1 if the total interest is less than $5.

2. That §§38.2-613.2 and 38.2-620 of the Code of Virginia are repealed.

feedback