SB784,15,99 2. A description of how the cybersecurity event was discovered.
SB784,15,1210 3. A description of how the nonpublic information was exposed, lost, stolen, or
11breached and an explanation of how the information has been, or is in the process
12of being, recovered.
SB784,15,1513 4. A description of the specific data elements, including types of medical,
14financial, and personally identifiable information, that were acquired without
15authorization.
SB784,15,1616 5. The number of consumers affected by the cybersecurity event.
SB784,15,1817 6. A description of efforts to address the circumstances that allowed the
18cybersecurity event to occur.
SB784,15,2019 7. The results of any internal review related to the cybersecurity event,
20including the identification of a lapse in automated controls or internal procedures.
SB784,15,2321 8. Whether the licensee notified a government body, self-regulatory agency, or
22other supervisory entity of the cybersecurity event and, if applicable, the date the
23notification was provided.
SB784,16,3
19. A copy of the licensee's privacy policy and a statement outlining the steps the
2licensee will take, or has taken, to investigate and notify consumers affected by the
3cybersecurity event.
SB784,16,54 10. The name of a contact person who is familiar with the cybersecurity event
5and authorized to act for the licensee.
SB784,16,86 (c) The licensee shall update and supplement the information provided under
7par. (b) to address material changes to the information as additional information
8becomes available to the licensee.
SB784,16,18 9(2) Notice to consumers and producers of record. A licensee required to
10notify the commissioner under sub. (1) shall comply with s. 134.98, if applicable, and
11provide to the commissioner a copy of any notice sent under s. 134.98 (2). If the
12licensee is an insurer whose services are accessed by consumers through an
13independent insurance producer, the licensee shall notify the producer of record of
14any consumers affected by the cybersecurity event no later than the date at which
15notice is provided under s. 134.98, except that notice is not required to a producer of
16record who is not authorized by law or contract to sell, solicit, or negotiate on behalf
17of the licensee or if the licensee does not have the current producer of record
18information for a consumer.
SB784,16,25 19(3) Third-party service providers. If the licensee has knowledge of a
20cybersecurity event involving an information system maintained by a 3rd-party
21service provider, the licensee shall provide notice to the commissioner no later than
223 days after the earlier of the date the 3rd-party service provider notifies the licensee
23of the cybersecurity event or the licensee has actual knowledge of the cybersecurity
24event. The licensee is not required to comply with this subsection if the 3rd-party
25service provider provides notice under sub. (1).
SB784,17,11
1(4) Reinsurers. In the event of a cybersecurity event involving nonpublic
2information, or involving an information system maintained by a 3rd-party service
3provider, a licensee who is acting as an assuming insurer and who does not have a
4direct contractual relationship with consumers affected by the cybersecurity event
5shall notify the ceding insurer and the commissioner of the licensee's state of domicile
6of the cybersecurity event no later than 3 business days after learning of the
7cybersecurity event. The licensee shall have no other notice obligations relating to
8a cybersecurity event or other data breach under this section or any other law of this
9state. A ceding insurer who has a direct contractual relationship with the affected
10consumers shall comply with the notification requirements under this section and,
11if applicable, the requirements under s. 134.98.
SB784,8 12Section 8. 601.955 of the statutes is created to read:
SB784,17,16 13601.955 Confidentiality. (1) All of the following apply to documents,
14materials, and other information in the possession or control of the commissioner
15that are obtained by, created by, or disclosed to the commissioner or any other person
16under this subchapter:
SB784,17,1817 (a) The documents, materials, and other information are considered
18proprietary and contain trade secrets.
SB784,17,2019 (b) The documents, materials, and other information are confidential and
20privileged, and the privilege may not be constructively waived.
SB784,17,2221 (c) The documents, materials, and other information are not open to inspection
22or copying under s. 19.35 (1).
SB784,17,2423 (d) The documents, materials, and other information are not subject to
24subpoena or discovery and are not admissible as evidence in a private civil action.
SB784,18,3
1(e) The commissioner may use the documents, materials, and other
2information in the furtherance of any regulatory or legal action brought as a part of
3the commissioner's official duties.
SB784,18,54 (f) The commissioner may not make the documents, materials, or other
5information public without first obtaining written consent of the licensee.
SB784,18,86 (g) Neither the commissioner nor any person who received the documents,
7materials, or other information may testify or be required to testify in any private
8civil action regarding the documents, materials, or other information.
SB784,18,21 9(2) Notwithstanding sub. (1), the commissioner may share, upon request, the
10documents, materials, or other information with other state, federal, and
11international financial regulatory agencies if the recipient agrees in writing to
12maintain the confidentiality and privileged status of the documents, materials, or
13other information and has verified that it has the legal authority to maintain
14confidentiality. The commissioner may receive documents, materials, or other
15information related to this subchapter from other state, federal, and international
16financial regulatory agencies and shall maintain as confidential or privileged any
17documents, materials, or other information that is treated as confidential or
18privileged under the laws of the jurisdiction that is the source of the documents,
19materials, or other information. The sharing of documents under this subsection
20does not constitute a delegation of regulatory authority and does not act as a waiver
21of privilege.
SB784,19,2 22(3) Notwithstanding sub. (1), the commissioner may share the documents,
23materials, or other information under this section with a 3rd-party consultant or
24vendor if the consultant or vendor agrees in writing to maintain the confidentiality

1and privileged status of the documents, materials, and other information shared
2under this section.
SB784,19,6 3(4) Nothing in this subchapter prohibits the commissioner from releasing final,
4adjudicated actions that are open to public inspection to a database or other
5clearinghouse service maintained by the National Association of Insurance
6Commissioners, its affiliates, or subsidiaries.
SB784,9 7Section 9. 601.956 of the statutes is created to read:
SB784,19,14 8601.956 Enforcement. The commissioner shall have the power to examine
9and investigate the affairs of any licensee to determine whether the licensee has
10engaged in conduct in violation of this subchapter and to take action that is necessary
11or appropriate to enforce the provisions of this subchapter. This power is in addition
12to the powers that the commissioner has under subch. IV of this chapter. An
13investigation or examination under this section shall be conducted under subchs. IV
14and V of this chapter.
SB784,10 15Section 10. Effective date.
SB784,19,1716 (1) This act takes effect on the first day of the 4th month beginning after
17publication.
SB784,19,1818 (End)
Loading...
Loading...