Legislation

Mississippi Cybersecurity Law

On April 3, 2019, Senate Bill No. 2831 otherwise known as the Insurance Data Security Law (the "Cybersecurity Law") was signed into law by the Governor. The Cybersecurity Law will become effective on July 1, 2019.

The Cybersecurity Law defines the requirements applicable to a "licensee" and establishes standards for data security and standards for the investigation of and notification to the Commissioner of a cybersecurity event

Key Implementation Dates

  • July 1, 2019

  • Insurance Data Security Act becomes effective. This requires, among other things, that a licensee notify the Commissioner no later than three (3) business days after determining that a cybersecurity event involving nonpublic information has occurred when certain criteria are met.

  • July 1, 2020

  • Licensees must have implemented Section 4 of Senate Bill 2831 by this date. This section requires that licensees establish a comprehensive, written information security program by July 1, 2020. (See key exceptions to the Cybersecurity Law below)

  • February 15, 2021

  • Beginning on this date, each insurer domiciled in Mississippi must annually submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in Section 4 of Senate Bill 2831.

  • July 1, 2021

  • Licensees must have implemented Section 4(6) of Senate Bill 2831 by this date. This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee. (See key exceptions to the Cybersecurity Law below)

Exceptions to the Cybersecurity Law

  • A licensee may be exempt from the requirements provided in Sections 4, 5(3) and 6(4)(a) and (b) of the Act if the licensee meets any of the following criteria:
    • Has fewer than fifty (50) employees, excluding independent contractors;
    • Has less than Five Million Dollars ($5,000,000.00) in gross annual revenue;
    • Has less than Ten Million Dollars ($10,000,000.00) in year-end total assets; or,
    • Is an insurance producer or insurance adjuster.
  • A Licensee that has established and maintains an information security program pursuant to the requirements of HIPAA will be considered to meet the requirements of Section 4 of the Act, provided the Licensee submits a written certification of its compliance with Section 4 of the Act.
  • An employee, agent, representative or designee of a Licensee, who is also a Licensee, is exempt from Section 4 of the Act to the extent they are covered by the information security program of the other Licensee.
  • A Licensee affiliated with a depository institution that maintains an Information Security Program in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information as set forth pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805) shall be considered to meet the requirements of Section 4, provided that the Licensee produces, upon request, documentation satisfactory to the commissioner that independently validates the affiliated depository institution’s adoption of an Information Security Program that satisfies the Interagency Guidelines.

Reporting of a Cybersecurity Event

A licensee shall notify the Commissioner no later than three (3) business days after determining that a cybersecurity event involving nonpublic information has occurred.

To report a Cybersecurity Event via our website, please click on the following link: Report A Cybersecurity Event

(Information provided in the report above shall be confidential pursuant to Section 8 of Senate Bill 2831)

Additional Information and Resources

The Department will issue additional guidance regarding the implementation of this legislation below as it becomes available.

  1. 1. Senate Bill No. 2831 – Insurance Data Security Law Effective July 1, 2019
  2. 2. MID Bulletin 2019-4 – Insurance Data Security Law

Contact Information

Questions concerning the Insurance Data Security Law or the reporting of a cybersecurity event can be sent to cyberreporting@mid.ms.gov

back to top