Indiana Insurance Data Security Law
Indiana Code § 27-2-27 et seq.
The Indiana Insurance Data Security Law, Indiana Code § 27-2-27 et seq., went into effect on July 1, 2021.
To read the law, visit Indiana Insurance Data Security Law § 27-2-27
The Indiana Executive Council on Cybersecurity (IECC) recently launched two, all-new, FREE-to-download toolkits, both of which are designed to provide organizations with more of the necessary cybersecurity resources for protecting themselves, as well as their critical systems and the people they serve throughout the Hoosier State. These are available at the Indiana Cybersecurity Hub at https://www.in.gov/cybersecurity/.
To Whom Does This Law Apply?
The Indiana Insurance Data Security Law § 27-2-27 et seq. applies to all licensees handling or processing non-public insurance data for policyholders or members. A “licensee” is defined as a person who either is or is required to be licensed, authorized to operate, or registered under Indiana Code Title 27. The term “licensee” does not apply to a purchasing group or risk retention group that is chartered and licensed in another state, or a person that is acting as an assuming insurer and domiciled in a state or jurisdiction other than Indiana.
Per Indiana Code § 27-2-27-20(c) licensees that are insurance companies domiciled in Indiana and subject to the Insurance Data Security Law must file with the Indiana Department of Insurance a certification that the insurer is in compliance with the Insurance Data Security Law, annually on or before April 15th.
In an effort to streamline and increase efficiencies, the Indiana Department of Insurance has created the Annual Certification Form. Only insurance companies that are domiciled in Indiana will need to submit the Annual Certification Form.
A licensee may be exempt from Indiana Code § 27-2-27-16 through Indiana Code § 27-2-27-20, which includes the certification requirement for insurance companies domiciled in Indiana, if the licensee meets certain requirements, listed below:
- A licensee is exempt from Sections 16 through 20 if the licensee:
- Employs fewer than fifty (50) employees;
- Has less than five million dollars ($5,000,000) in gross annual revenue; or
- Has less than ten million dollars ($10,000,000) in year-end total assets.
- A licensee that is subject to the federal Health Insurance Portability and Accountability
Act (Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996); and has established and maintains an information security program pursuant to that federal act and the regulations, procedures, or guidelines established under that act.
- If the licensee is affiliated with a financial institution (as defined in 15 U.S.C. 6809) that maintains an information security program in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Consumer Information adopted under Sections 501 and 505(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805(b)).
If a licensee ceases to qualify for an exemption, the licensee must comply with the requirements of Indiana Code § 27-2-27-16 through Indiana Code § 27-2-27-20 not more than 180 days after the licensee ceases to qualify for the exemption.
Available Forms to File
- Annual Certification Form: (link to form)
If the insurance company domiciled in Indiana meets the requirements of Indiana Code § 27-2-27 for certification, the Annual Certification Form must be filed annually on or before April 15.
Cybersecurity Event Investigations and Notification
The Indiana Insurance Data Security law established new data security requirements for licensees:
- Per Indiana Code § 27-2-27-21(a) If a licensee learns that a cybersecurity event has or may have occurred, the licensee, or an outside vendor or service provider designated to act on the licensee’s behalf, must conduct a prompt investigation.
- Generally, a licensee will need to notify the IDOI about a cybersecurity event within 3 business days depending on various factors, which include what type of information was involved, where the potentially impacted consumers are located, and where the licensee is domiciled. Please see Indiana Code § 27-2-27 et seq. for further information.
The Department encourages licensed entities to report cybersecurity events through the links below.
If you need to report a cybersecurity event, please follow the appropriate link below. This will require an Access Indiana account, which can be created at https://www.in.gov/access/. You will use this account any time you need to report a new event or provide an update on a previously submitted event.
For reporting new cybersecurity events:
For updating existing cybersecurity events:
If you have any questions, please email IDOIdatasecurity@idoi.in.gov.
I am an agent. Do I need to file an Annual Certification Form?
No, only insurance companies domiciled in Indiana will need to file.
Does the Annual Certification Form have to be filed annually?
Yes, by April 15.
Where is the form located for download and completion?
The form is only available online and cannot be downloaded and can be found on this page in the Available Forms to File section.
If there is a parent company, does each subsidiary need to file the Annual Certification Form?
Yes. Each insurance company domiciled in Indiana that qualifies as a licensee, is not exempt, and has a unique EIN number will need to file the Annual Certification Form.
How soon do we need to notify the IDOI about a cybersecurity event?
Generally, as promptly as possible within 3 business days if the event involved certain information. Please see Indiana Code § 27-2-27 et seq. for further information.
If a company is exempt from filing the Annual Certification Form and a change occurs requiring a certification, what is the timeframe for the Certification Form to be filed?
Pursuant to Indiana Code § 27-2-27-26(e), if a licensee ceases to qualify for an exception, the licensee must comply with Sections 16-20 within 180 days after the licensee ceases to qualify for the exception.
For any questions, email IDOIdatasecurity@idoi.in.gov.