STAND. COM. REP. NO. 1479
RE: S.B. No. 1100
Honorable Scott K. Saiki
Speaker, House of Representatives
Thirty-First State Legislature
Regular Session of 2021
State of Hawaii
Your Committee on Judiciary & Hawaiian Affairs, to which was referred S.B. No. 1100, S.D. 1, H.D. 1, entitled:
"A BILL FOR AN ACT RELATING TO INSURANCE DATA SECURITY,"
begs leave to report as follows:
Your Committee received testimony in support of this measure from the Department of Commerce and Consumer Affairs; American Insurance Group, Inc.; and Hawaii Captive Insurance Council. Your Committee received comments on this measure from the American Council of Life Insurers.
Your Committee finds that there have been several major data breaches involving large insurers that exposed and compromised the sensitive personal information of millions of insurance consumers. As a result of these breaches, state insurance regulators made the reevaluation of the regulations around cybersecurity and consumer data protection a top priority. This measure adopts the National Association of Insurance Commissioners' Insurance Data Security Model Law that will establish insurance data security standards for Hawaii insurance licensees and ensure insurance data security protections for these licensees.
Your Committee has amended this measure by:
(1) Clarifying that the licensee's domiciliary regulator shall have the power to examine and investigate the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of the Insurance Data Security Law;
(2) Amending certain references to "outside vendors" and "service providers" to use the defined term "third-party service providers";
(3) Requiring each licensee, instead of each insurer, to submit an annual certification to the Insurance Commissioner;
(4) Clarifying the notice requirements regarding cybersecurity events of third-party service providers;
(5) Inserting language based on the Insurance Data Security Model Law that requires assuming insurers to notify its affected ceding insurers and the Insurance Commissioner of its state of domicile within three business days of receiving notice from its third-party service provider that a cybersecurity event has occurred involving nonpublic information that is in the possession, custody, or control of the third-party service provider; and
(6) Making technical, nonsubstantive amendments for the purposes of clarity, consistency, and style.
As affirmed by the record of votes of the members of your Committee on Judiciary & Hawaiian Affairs that is attached to this report, your Committee is in accord with the intent and purpose of S.B. No. 1100, S.D. 1, H.D. 1, as amended herein, and recommends that it be referred to your Committee on Finance in the form attached hereto as S.B. No. 1100, S.D. 1, H.D. 2.
Respectfully submitted on behalf of the members of the Committee on Judiciary & Hawaiian Affairs,
MARK M. NAKASHIMA, Chair