The Delaware Department of Insurance published a bulletin reminding insurers of the requirements under the Delaware Insurance Data Security Act.
18 Del.C. Chapter 86 codified the Act in 2019, which required licensees to develop and implement information security programs to prevent data breaches and the compromising of consumers' personal data.
Licensees are expected to conduct investigations to determine if a cybersecurity event occurred and the extent of the data that has been compromised. If an event has occurred, the Department must be notified within three business days, and all impacted consumers must be notified within sixty days. Impacted consumers should be offered complimentary credit monitoring services for one year after the event.
The Department should be notified of a data breach or cybersecurity event via email to [email protected]. Domiciled insurers must certify their compliance with the act and submit an affidavit via the same email address. The commissioner may investigate insurers to determine if they are not in compliance with the act and may take regulatory action.
The bulletin can be found here.