Skip to agency navigation
Skip to main content

Official Website

of the Commonwealth of Pennsylvania

    The .gov means its official.

    Local, state, and federal government websites often end in .gov. Commonwealth of Pennsylvania government websites and email systems use "pennsylvania.gov" or "pa.gov" at the end of the address. Before sharing sensitive or personal information, make sure you're on an official state website. 

    Insurance Data Security

    Act 2 of 2023

    Act 2 of 2023 (HB 739) requires insurance licensees to take specific actions to safeguard consumers' information, effective December 11, 2023. This legislation was derived from model legislation developed by the National Association of Insurance Commissioners, incorporating input from all participating state insurance commissioners, industry stakeholders, and consumer representatives. The Act defines the requirements applicable to a licensee and establishes standards for data security, cybersecurity investigations, and notification to the Commissioner of cybersecurity events. 

    Upcoming Key Implementation Dates

    • December 11, 2024, licensees must have implemented the required elements relating to Risk Assessment, Information Security Program, and Corporate Oversight.
    • December 11, 2025, licensees must have implemented the additional requirements regarding oversight of third-party service providers that maintain, process, store, or otherwise permit access to non-public information through the provision of services to the licensee. Information related to third-party service providers is located under § 4515 of the Act.
    • No later than April 15, 2026, each insurer domiciled in this Commonwealth must annually submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements outlined in the Act. Information related to certification is located under § 4516 of the Act.

    When Must a Cybersecurity Event Notification be Submitted?

    A "cybersecurity event" is an event resulting in unauthorized access to, disruption of or misuse of an information system or nonpublic information stored on the information system. The term does not include: 

    • The unauthorized acquisition of encrypted nonpublic information if the encryption, process or key is not also acquired, released, or used without authorization. 
    • An event where the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.  

    This Act requires, among other things, that a licensee investigate a cybersecurity event and notify the Commissioner as promptly as possible, but in no event later than five business days after determining that a cybersecurity event has occurred when certain criteria are met. If a cybersecurity event is not reported within 5 business days, the Licensee could face additional Department oversight, examinations, or even loss of license.  

    View the Reporting Requirements for the Submission of a Cyber Security Event Notification.

     

    Cybersecurity Event Examples

    Below are common examples of cybersecurity events that would require a licensee to notify the Department. These breach examples include, but are not limited to:

    • Theft  
    • Phishing  
    • Hacking   
    • Stolen/Lost Equipment  
    • DNS/Ransomware   
    • Improper Disclosure  
    • Improper Disposal  
    • Lost During Move  
    • Unauthorized Access  
    • Compromised Computer/Equipment  

    It is important to note that this list is not exhaustive and other circumstances not included on the list above may qualify as a Cybersecurity event and require the commissioner's notification. If you are unsure or have questions, please reach out via email toRA-INdatasecurity@pa.gov.

     

    Questions

    Questions concerning the Act or a Cybersecurity event notification can be sent to RA-INdatasecurity@pa.gov.