Compliance strategies for the new Pennsylvania Insurance Data Security Act

Pennsylvania House Bill 739, otherwise known as the Pennsylvania Insurance Data Security Act (Act 2 of 2023) was recently enacted to introduce significant data security requirements for insurance licensees that conduct business in Pennsylvania. This legislation, signed into law on June 14, 2023, aims to enhance the protection of personal information and establish robust safeguards against cybersecurity threats.

The Pennsylvania Insurance Data Security Act includes four key activities below that must be performed. 

Risk assessment

Licensees are required to conduct an annual risk assessment to identify internal and external threats, assess the likelihood of potential threats and determine the sufficiency of current safeguards in place to manage threats.

Information security program

Under the act, licensees must establish and implement an information security program tailored to mitigate the identified risks. This program should include the following essential components:

• Development of policies and procedures to effectively manage information security risks
• Implementation of technical controls to safeguard data against unauthorized access or breaches
• Provision of comprehensive training programs to enhance employee awareness and knowledge of data security protocols
• Development and implementation of a written incident response plan

Corporate oversight

To ensure accountability, licensees must designate an officer (which executive management can assign to a “delegated entity”) responsible for overseeing the effectiveness of the data security program. This individual will report to the board of directors or governing body of the licensee, providing valuable insights and updates.

Oversight of third-party service provider arrangements

Licensees must identify and assess all third-party service providers that have access to non-public information or personal information of residents of Pennsylvania. They are required to conduct due diligence on these providers, evaluating their security practices, risk management procedures, and incident response plans. Licensees must also establish written contracts that include provisions mandating the protection of personal information, notification of cybersecurity incidents, and cooperation in regulatory or law enforcement investigations.

Effective date and compliance deadline

The Pennsylvania Insurance Data Security Act becomes effective in December 2023. Licensees are provided with a compliance period and must fully implement the requirements related to the risk assessment, information security program, corporate oversight, and certification sections by December 2024. The section relating to oversight of third-party service provider arraignments must be implemented by December 2025.

No later than one year after the effective date and each April 15 thereafter, licensees must submit a written report to the commissioner certifying they are in compliance with each of the requirements of the act.

Taking steps to comply

The Pennsylvania Insurance Data Security Act represents a significant step forward in safeguarding the personal information of Pennsylvanians and strengthening data security practices within the insurance industry.

As insurance licensees look to align their practices with the act, as well as other data security frameworks and regulations, providers can strengthen their compliance and security efforts in the following ways:

• Compliance gap assessment: With the experience and knowledge of industry regulations from a trusted advisor, you can better understand areas where your security program is not aligned with requirements and develop a road map for compliance.
• Risk assessment: By reviewing applicable threats, attack vectors, and controls, an advisor can identify and prioritize risks that affect your critical data and assets.
• Program development and framework alignment: To encourage ongoing compliance, you should develop a security program that works for your business and aligns with leading security practices.
• Third-party risk management: Proactive management of third-party risk is a key component not only of the Pennsylvania Insurance Data Security Act but of any effective security program. By facilitating third-party security questionnaires, risk ratings, vendor tracking, contract reviews, and other due diligence practices, you can identify and manage risks associated with third parties.
• Virtual chief information security officer (vCISO) consulting: vCISO services offer invaluable program guidance, helping you stay on top of industry and regulatory changes and continuously improving your ability to secure sensitive data, protect critical business functions and ensure corporate resilience.

For those who have not already been affected by the other state model laws, the new Pennsylvania Insurance Data Security Act requires a coordinated approach and a more extensive plan to address evolving cybersecurity risks. The necessary steps can be complex, and many companies may not have the necessary internal experience to establish compliance.