HB101 Alabama 2019 Session

Summary

Primary Sponsor

Kerry Rich

Republican

Session

Regular Session 2019

Title

Insurance Data Security Law, Insurance Commissioner to regulate, reports to Insurance Dept., licensee to implement information security programs, oversight of third-party providers, reports re cybersecurity events, criminal penalties, Secs. 10A-20-6.16, 27-21A-23 am'd.

Summary

HB 101 creates the Insurance Data Security Law requiring insurers and other licensees to adopt information security programs, report cybersecurity events to the Insurance Commissioner, and protect nonpublic information.

What This Bill Does

Licensed insurers and other entities must develop, implement, and maintain a comprehensive information security program based on a risk assessment. The program must include administrative, technical, and physical safeguards, address third-party providers, and include an incident response plan and ongoing testing. They must notify the Insurance Commissioner of cybersecurity events promptly (usually within three business days after determination) and maintain records for five years. The act also provides confidentiality for information shared with the Commissioner, possible civil penalties for violations, and phased timelines for compliance, with certain small-licensee exemptions.

Who It Affects

• Licensees (insurers and other entities licensed by the Department of Insurance) must implement security programs, oversee risk assessments, manage third-party providers, and report cybersecurity events to the Commissioner.
• Consumers in Alabama whose nonpublic information could be affected by cybersecurity events are protected under the act and may receive required notifications; the act relies on existing consumer-notification laws and maintains confidentiality rules for data shared with regulators.

Key Provisions

• Establishes the Insurance Data Security Law and amends Sections 10A-20-6.16 and 27-21A-23 to bring data security standards to insurers and related entities.
• Requires licensees to develop and maintain a risk-based information security program with administrative, technical, and physical safeguards for nonpublic information and information systems.
• Requires risk assessments, threat identification, employee training, regular testing, and secure data disposal as part of the program.
• Requires due diligence in selecting third-party service providers and mandates that they implement appropriate safeguards; licensees remain responsible for protecting information accessed by these providers.
• Requires a written incident response plan and ongoing monitoring to promptly respond to and recover from cybersecurity events.
• Requires notifying the Insurance Commissioner within defined timelines after a cybersecurity event and providing detailed information; certain events involving third parties are treated similarly.
• Confidentiality and privilege protections apply to information shared with the Commissioner, with limited sharing allowed among regulators and law enforcement under written agreements.
• Penalties include civil fines up to $10,000 per violation for licensees and possible license suspension or revocation; producers may be penalized under existing laws.
• Board or senior management oversight is required, with annual reporting on the information security program and findings; phased implementation timelines apply (two years for third-party provider provisions, one year for remainder).
• Exemptions exist for very small licensees and certain HIPAA/GLBA-covered entities; the act becomes effective immediately with transitional provisions.

AI-generated summary using openai/gpt-5-nano on Feb 24, 2026. May contain errors — refer to the official bill text for accuracy.

Subjects

Insurance Department