On April 3, 2019, Senate Bill No. 2831 otherwise known as the Insurance Data Security Law (the “Cybersecurity Law”) was signed into law by the Governor. The Cybersecurity Law became effective on July 1, 2019, and is codified in Sections 83-5-801 to 83-5-825.
The Cybersecurity Law defines the requirements applicable to a “licensee” and establishes standards for data security and standards for the investigation of and notification to the Commissioner of a cybersecurity event
Key Implementation Dates
July 1, 2019
Insurance Data Security Act becomes effective. This requires, among other things, that a licensee notify the Commissioner no later than three (3) business days after determining that a cybersecurity event involving nonpublic information has occurred when certain criteria are met.
July 1, 2020
Licensees must have implemented the requirements of Section 83-5-807 by this date. This section requires that licensees establish a comprehensive, written information security program by July 1, 2020. (See key exceptions to the Cybersecurity Law below)
February 15, 2021
Beginning on this date, each insurer domiciled in Mississippi must annually submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in Section 83-5-807.
July 1, 2021
Licensees must have implemented the requirements of Section 83-5-807(6) by this date. This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee. (See key exceptions to the Cybersecurity Law below)
Exceptions to the Cybersecurity Law
- A licensee may be exempt from the requirements provided in Sections 83-5-807, 83-5-809(3) and 83-5-811(4)(a) and (b) of the Act if the licensee meets any of the following criteria:
- Has fewer than fifty (50) employees, excluding independent contractors;
- Has less than Five Million Dollars ($5,000,000.00) in gross annual revenue;
- Has less than Ten Million Dollars ($10,000,000.00) in year-end total assets; or,
- Is an insurance producer or insurance adjuster.
- A Licensee that has established and maintains an information security program pursuant to the requirements of HIPAA will be considered to meet the requirements of Section 83-5-807, provided the Licensee submits a written certification of its compliance with Section 83-5-807.
- An employee, agent, representative or designee of a Licensee, who is also a Licensee, is exempt from Section 83-5-807 to the extent they are covered by the information security program of the other Licensee.
- A Licensee affiliated with a depository institution that maintains an Information Security Program in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information as set forth pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805) shall be considered to meet the requirements of Section 83-5-807, provided that the Licensee produces, upon request, documentation satisfactory to the commissioner that independently validates the affiliated depository institution’s adoption of an Information Security Program that satisfies the Interagency Guidelines.
Exception Certification Form (Only Licensees who are Insurers and have an NAIC # are required to complete this form)
Reporting of a Cybersecurity Event
A licensee shall notify the Commissioner no later than three (3) business days after determining that a cybersecurity event involving nonpublic information has occurred.
To report a Cybersecurity Event via our website, please click on the following link: Report A Cybersecurity Event
(Information provided in the report above shall be confidential pursuant to Section 83-5-815)
Cybersecurity Notification Form (All Licensees pursuant to Section 83-5-811)
Exception Certification Form (Only Licensees who are Insurers and have an NAIC # are required to complete this form)
Information Security Program Certification Form (Domestic Insurers only who do not meet exemption requirements pursuant to Section 83-5-817)
Additional Information and Resources
The Department will issue additional guidance regarding the implementation of this legislation below as it becomes available.
Contact Information
Questions concerning the Insurance Data Security Law or the reporting of a cybersecurity event can be sent to cyberreporting@mid.ms.gov