The Rhode Island Insurance Division published a bulletin providing an overview of the state’s insurance data security statute to help insurers with compliance. R.I. General Laws § 27-1-46, effective January 1, 2025, sets forth the standards for insurers to have an adequate information security system.
R.I. General Laws § 27-1-46 applies only to domestic insurers; foreign insurers are not required to comply with the statute. The Department clarifies the use of “commensurate with the size and complexity of an insurer” to mean that larger and more complex insurers should have a more robust information security system compared to a small insurer.
Insurers should carefully select third-party service providers and make sure they have implemented measures to protect nonpublic information. Insurers must notify the Department if there has been a cybersecurity event that has a reasonable likelihood of harming insureds in the state. A formal notification is only necessary if over 50 insureds have been harmed.
Insurers must file with the Department following a breach. The filing must include 13 items, but some may be exempted according to the Rhode Island Access to Public Records Act. However, the Department states the public portions of the notices should include these 5 items: name of the insurer, timing of the breach, number of impacted consumers, type of information impacted by the breach, and whether a third-party service provider was involved.
Every domiciled insurer must annually submit a written statement certifying their compliance with this statute by April 15.
While this statute does not apply to foreign insurers, they must still comply with the Health Insurance Portability and Accountability Act and related privacy, security, and breach notification regulations found in the Code of Federal Regulations.
The bulletin can be found here.