The bill, known as HF 719, came about in response to several major data breaches involving large insurers that exposed and compromised the sensitive personal information of millions of insurance consumers over the past few years, Rep. Garrett Gobble said via email.
As a result, Gobble said, state insurance regulators made re-evaluating regulations around cybersecurity and consumer data protection a top priority.
“In early 2016, the NAIC (National Association of Insurance Commissioners) began drafting the Insurance Data Security Model Law,” he said. “The model was adopted by the NAIC in October 2017 following almost two years of extensive deliberations and input from state insurance regulators, consumer representatives and the insurance industry.”
That same year, Gobble said, a report on the asset management and insurance industries by the U.S. Treasury Department recommended that states adopt the model, prompting the proposal of HF 719 by the Information Technology Committee of the Iowa House of Representatives.
“There are two sides to the bill,” Doug Ommen, insurance commissioner of the Iowa Insurance Division, said. “The first is making sure that companies’ defenses are hardened and less susceptible to outside attacks.”
“The second,” Ommen continued, is “understanding what needs to be done if there is a breach and providing redress for consumers who have been impacted.”
Under the new law, an Information Security Program will be created to enforce various standards and penalties laid out in the bill.
Standards include protecting “the security and confidentiality of nonpublic information and licensee’s information systems” and defining “a mechanism for the destruction of nonpublic information if retention is no longer necessary for the licensee’s business operations.”
As for enforcing these standards, the bill states the insurance commissioner will have the ability to enforce civil penalties to address any violations.
For example, the bill states under subtitle 505.7A that “penalties imposed ... by order of the commissioner of insurance after hearing shall not exceed one thousand dollars for each act or violation.” However, if the person knew that they violated the subtitle, the penalty could increase up to $5,000.
Ommen said the new security program’s focus is to make sure companies self-evaluate their information systems and strengthen protections against cyber attacks as much as possible.
“The issues of data privacy are really important as computers continue to accumulate more information,” Ommen said. “Information doesn’t flow directly from one source; it flows in from other data sources.”
Because of this, he said, “we do consider this bill an important step in alerting many insurance companies to risks, putting them at the forefront of addressing these issues and strengthening their protections.”
Currently, there are over 200 insurers domiciled in Iowa and over 1,300 non-domestic admitted insurance carriers in Iowa, according to Rep. Gobble. Due to these numbers, he said, the bill is important for maintaining the state’s insurance industry.