SB54 Alabama 2019 Session

Summary

Primary Sponsor

Shay ShelnuttSenator

Republican

Session

Regular Session 2019

Title

Insurance Data Security Law, Insurance Commissioner to regulate, reports to Insurance Dept., licensee to implement information security programs, oversight of third-party providers, reports re cybersecurity events, criminal penalties, Secs. 10A-20-6.16, 27-21A-23 am'd.

Summary

Alabama's Insurance Data Security Law requires licensees to implement information security programs, report cybersecurity events to the Insurance Commissioner, and follow confidentiality and penalty rules.

What This Bill Does

If passed, insurers and other licensees would have to create and maintain a risk-based information security program with safeguards for nonpublic information and third-party service providers. They must conduct risk assessments, implement identified protections, and maintain an incident response plan. They must report cybersecurity events to the Commissioner within three business days (with required details) and keep records for five years; violations can lead to penalties.

Who It Affects

• Licensees licensed by the Alabama Department of Insurance (including insurers and similar entities) must implement the program, perform risk assessments, manage third-party service providers, and comply with reporting and penalties.
• Consumers in Alabama whose nonpublic information is held by licensees are protected by confidentiality rules and may receive notices about cybersecurity events under this law and related privacy requirements.

Key Provisions

• Establishes the Insurance Data Security Law as the exclusive state standard for licensees' data security, cybersecurity event investigation, and notification to the Commissioner.
• Defines key terms such as cybersecurity event, nonpublic information, information security program, information system, licensee, third-party service provider, multi-factor authentication, and encrypted.
• Requires licensees to develop, implement, and maintain a comprehensive written information security program based on risk assessment, including administrative, technical, and physical safeguards.
• Requires risk assessments, identification of threats, evaluation of safeguards, and regular testing, training, and updates to controls (including encryption, access controls, audit trails, and disaster protection).
• Requires board oversight for licensees with a board, including annual written reports on program status, compliance, and material issues.
• Mandates due diligence in selecting third-party service providers and requires them to implement appropriate protective measures; licensees must monitor and adjust the program as needed.
• Requires an incident response plan to promptly respond to and recover from cybersecurity events, with defined roles, communications, remediation, and post-event evaluation.
• Imposes notification requirements to the Commissioner within three business days of a qualifying cybersecurity event and detailed information about the event; requires compliance with additional consumer notification laws.
• Maintains confidentiality of information shared with the Commissioner and allows limited sharing with regulators and third-party consultants while preserving privilege; records must be kept for five years and are subject to examination.
• Provides penalties for violations (up to $10,000 per violation for licensees, and penalties for insurers/producers as specified), and grants the Commissioner enforcement powers.
• Includes exemptions for small licensees and certain federally regulated or affiliated entities, with transitional timelines to implement requirements.

AI-generated summary using openai/gpt-5-nano on Feb 24, 2026. May contain errors — refer to the official bill text for accuracy.

Subjects

Insurance Department