STAND. COM. REP. NO. 614
RE: S.B. No. 1100
Honorable Ronald D. Kouchi
President of the Senate
Thirty-First State Legislature
Regular Session of 2021
State of Hawaii
Your Committee on Commerce and Consumer Protection, to which was referred S.B. No. 1100 entitled:
"A BILL FOR AN ACT RELATING TO INSURANCE DATA SECURITY,"
begs leave to report as follows:
The purpose and intent of this measure is to adopt the National Conference of Insurance Commissioners' Insurance Data Security Model Law to establish insurance data security standards for Hawaii insurance licensees.
Your Committee received testimony in support of this measure from the Department of Commerce and Consumer Affairs. Your Committee received comments on this measure from the Hawaii Insurers Council, American Council of Life Insurers, and National Association of Mutual Insurance Companies.
Your Committee finds the National Conference of Insurance Commissioners adopted the Insurance Data Security Model Law in 2017 to strengthen existing data privacy standards and consumer breach notification obligations of insurance licensees. If states do not adopt provisions of this model law by 2022, they risk federal preemption of state laws in this area. Although some insurance licensees may already have cybersecurity policies and protocols in place, this measure will ensure and formalize insurance data security protections for all licensees.
Your Committee has amended this measure by:
(1) Inserting a purpose and findings section;
(2) Amending the definitions of "cybersecurity event", "information system", and "nonpublic information";
(3) Clarifying licensee oversight requirements for third-party service provider arrangements to recognize the unique nature of cloud services;
(4) Clarifying insurers domiciled in this State shall annually submit written statements to the Insurance Commissioner by March 31, rather than February 15;
(5) Specifying that if the licensee provides nonpublic information to a third-party service provider and learns that a cybersecurity event has or may have impacted the licensee's nonpublic information in a system maintained by a third-party service provider, the licensee shall complete certain steps or confirm and document that the third-party service provider has taken certain steps;
(6) Requiring that each licensee shall notify the Insurance Commissioner no later than three business days, rather than twenty-two hours, from the determination that a cybersecurity event has impacted two hundred fifty or more consumers, and further clarifying the criteria for when notification shall be provided;
(7) Clarifying that licensees shall have a continuing obligation to update and supplement initial notifications to the Insurance Commissioner regarding material changes to previously provided information;
(8) Clarifying the notification requirements regarding cybersecurity events of reinsurers to insurers;
(9) Clarifying that the licensee's domiciliary regulator, rather than strictly the Insurance Commissioner, shall have the power to examine and investigate the affairs of any licensee, and further specifying investigation and examination powers;
(10) Inserting an effective date of July 1, 2050, to encourage further discussion; and
(11) Making technical, nonsubstantive amendments for the purposes of clarity and consistency.
As affirmed by the record of votes of the members of your Committee on Commerce and Consumer Protection that is attached to this report, your Committee is in accord with the intent and purpose of S.B. No. 1100, as amended herein, and recommends that it pass Second Reading in the form attached hereto as S.B. No. 1100, S.D. 1, and be placed on the calendar for Third Reading.
Respectfully submitted on behalf of the members of the Committee on Commerce and Consumer Protection,
ROSALYN H. BAKER, Chair