Indiana Insurance Data Security Law
Indiana Code § 27-2-27 et seq.
The Indiana Insurance Data Security Law, Indiana Code § 27-2-27 et seq., went into effect on July 1, 2021.
To read the law, visit Indiana Insurance Data Security Law § 27-2-27
To Whom Does This Law Apply?
The Indiana Insurance Data Security Law § 27-2-27 et seq. applies to all licensees handling or processing non-public insurance data for policyholders or members. A “licensee” is defined as a person who either is or is required to be licensed, authorized to operate, or registered under Indiana Code Title 27. The term “licensee” does not apply to a purchasing group or risk retention group that is chartered and licensed in another state, or a person that is acting as an assuming insurer and domiciled in a state or jurisdiction other than Indiana.
Per Indiana Code § 27-2-27-20(c) licensees that are insurance companies domiciled in Indiana and subject to the Insurance Data Security Law must file with the Indiana Department of Insurance a certification that the insurer is in compliance with the Insurance Data Security Law, annually on or before April 15th.
In an effort to streamline and increase efficiencies, the Indiana Department of Insurance has created the Annual Certification Form. Only insurance companies that are domiciled in Indiana will need to submit the Annual Certification Form.
A licensee may be exempt from Indiana Code § 27-2-27-16 through Indiana Code § 27-2-27-20, which includes the certification requirement for insurance companies domiciled in Indiana, if the licensee meets certain requirements, listed below:
- A licensee is exempt from Sections 16 through 20 if the licensee:
- Employs fewer than fifty (50) employees;
- Has less than five million dollars ($5,000,000) in gross annual revenue; or
- Has less than ten million dollars ($10,000,000) in year-end total assets.
- A licensee that is subject to the federal Health Insurance Portability and Accountability
Act (Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996); and has established and maintains an information security program pursuant to that federal act and the regulations, procedures, or guidelines established under that act.
- If the licensee is affiliated with a financial institution (as defined in 15 U.S.C. 6809) that maintains an information security program in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Consumer Information adopted under Sections 501 and 505(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805(b)).
If a licensee ceases to qualify for an exemption, the licensee must comply with the requirements of Indiana Code § 27-2-27-16 through Indiana Code § 27-2-27-20 not more than 180 days after the licensee ceases to qualify for the exemption.
If an insurance company domiciled in Indiana meets any of the above criteria for exemption, the insurer is not required to file a Certification Form and may instead file an Exemption Form.
Available Forms to File
- Annual Certification Form: (link to form)
If the insurance company domiciled in Indiana meets the requirements of Indiana Code § 27-2-27 for certification, the Annual Certification Form must be filed annually on or before April 15.
- Exemption Form: (link to form)
If the insurance company domiciled in Indiana is eligible for an exemption pursuant to Indiana Code § 27-2-27-26, the Exemption Form may be filed. The filed Exemption Form will remain valid unless and until the licensee ceases to be qualified for the exemption to Indiana Code § 27-2-27.
Cybersecurity Event Investigations and Notification
The Indiana Insurance Data Security law established new data security requirements for licensees:
- Per Indiana Code § 27-2-27-21(a) If a licensee learns that a cybersecurity event has or may have occurred, the licensee, or an outside vendor or service provider designated to act on the licensee’s behalf, must conduct a prompt investigation.
- Generally, a licensee will need to notify the IDOI about a cybersecurity event within 3 business days depending on various factors, which include what type of information was involved, where the potentially impacted consumers are located, and where the licensee is domiciled. Please see Indiana Code § 27-2-27 et seq. for further information.
- For reporting cybersecurity events, notices may be emailed at IDOIdatasecurity@idoi.in.gov or mailed to the Department at:
Indiana Department of Insurance
Attn: Data Security – Legal
311 W. Washington Street, Suite 103
Indianapolis, IN 46204-2787
I am an agent. Do I need to file an Annual Certification Form or an Exemption Form?
No, only insurance companies domiciled in Indiana will need to file.
Does an Exemption Form have to be filed each year?
No, an Exemption Form may be submitted initially if the insurance company domiciled in Indiana meets the criteria for an exemption. If a change occurs where the exemption no longer applies, then the Annual Certification Form must be provided not more than 180 days after the licensee ceases to qualify for the exception.
Does the Annual Certification Form have to be filed annually?
Yes, by April 15.
Where are the forms located for download and completion?
The forms are only available online and cannot be downloaded. Both forms can be found on this page in the Available Forms to File section.
If there is a parent company, does each subsidiary need to file either the Annual Certification Form or Exemption Form?
Yes. Each insurance company domiciled in Indiana that qualifies as a licensee and has a unique EIN number will need to file the Annual Certification Form or can submit the Exemption Form, if applicable.
How soon do we need to notify the IDOI about a cybersecurity event?
Generally, as promptly as possible within 3 business days if the event involved certain information. Please see Indiana Code § 27-2-27 et seq. for further information.
If an Exemption Form has been filed and a change occurs requiring a certification, what is the timeframe for the Certification Form to be filed?
Pursuant to Indiana Code § 27-2-27-26(e), if a licensee ceases to qualify for an exception, the licensee must comply with Sections 16-20 within 180 days after the licensee ceases to qualify for the exception.
For any questions, email IDOIdatasecurity@idoi.in.gov.