Report A Cybersecurity Event
Each licensee, under certain circumstances, shall notify the commissioner within three business days after a determination of the occurrence of a cybersecurity event. The Insurance Data Security Law (Act 283 of the 2020 Regular Session) defines both “licensee” and “cybersecurity event” and creates the reporting requirement.
Generally, a “licensee” is a person or entity regulated by the commissioner of insurance, and a “cybersecurity event” involves the loss of electronic nonpublic information belonging to consumers and in the possession of licensees or the compromise of the information system of a licensee.
Reporting Flowchart
The Reporting a Cybersecurity Event Flowchart is meant only to be a guide for licensees, who are responsible for understanding and complying with the provisions of La. R.S. 22:2506, which governs notification to the commissioner and to consumers.
Notification Process
If, after a prompt investigation, a licensee determines both a cybersecurity event has occurred and a report is required, the licensee shall notify the commissioner without unreasonable delay but in no event later than three business days. When in doubt as to whether to notify the commissioner through the LDI, all licensees are encouraged to report the cybersecurity event and begin a dialogue with LDI staff as soon as possible.
Licensees will notify the commissioner and LDI using the Cybersecurity Reporting Module in the Industry Access Portal, https://ia.ldi.state.la.us/industryaccess.
Supplemental Information
Not all information may be available at the time of the initial report to the LDI. Licensees have a continuing obligation to update and supplement their initial and subsequent reports about material developments relating to the cybersecurity event as provided in La. R.S. 22:2506. Updates and supplemental information should be submitted to cyber.report@ldi.la.gov.
Louisiana Insurance Data Security Law Information Security Program
Pursuant to
Bulletin 2021-04, all licensees of the Louisiana Department of Insurance, as that term is defined in La. R.S. 22:2503(7), are now required to develop, implement and maintain a comprehensive written information security program (ISP) that complies with the requirements of La. R.S. 22:2054 no later than August 1, 2021. Bulletin 2021-04 also requires the submission of either a certification of compliance with La. R.S. 22:2504 or exemption under La. R.S. 22:2509. Below you will find a link to the bulletin with information on filing dates and requirements, as well as links to both the certification and exemption forms.
Bulletin 2021-04
Louisiana Insurance Data Security Law Information Security Program Certification Form
Louisiana Insurance Data Security Law Information Security Program Exemption Certification Form
If you meet any of the following criteria, it is only necessary to submit the Louisiana Insurance Data Security Law Information Security Program Exemption Certification Form:
- Have fewer than twenty-five (25) employees.
- Have less than five million dollars in gross annual revenue.
- Have less than ten million dollars in year-end total assets.
- Are a licensee who is also an employee, agent, representative, or designee of another licensee, to the extent that you are covered by the other licensee’s ISP. A single licensed producer employed by an agency will fall under this exemption.
- Are subject to the Health Insurance Portability and Accountability Act (HIPAA), establish and maintain an information security program (ISP) pursuant to HIPAA statutes, rules, regulations, procedures, or guidelines, AND comply with and submit, upon request, a written certification of compliance with the ISP established pursuant to HIPAA statutes, rules, regulations, procedures, or guidelines.
- Are affiliated with a depository institution subject to the Interagency Guidelines Establishing Information Security Standards pursuant to the Gramm-Leach-Bliley Act (Gramm-Leach-Bliley), establish and maintain an information security program (ISP) pursuant to Gramm-Leach-Bliley statutes, rules, regulations, procedures, or guidelines, AND comply with and submit, upon request, a written certification of compliance with the ISP established pursuant to Gramm-Leach-Bliley statutes, rules, regulations, procedures or guidelines.
- Are subject to a jurisdiction approved by the commissioner, establish and maintain an information security program (ISP) pursuant to that jurisdiction’s statutes, rules, regulations, procedures, or guidelines, AND comply with and submit a written certification of compliance with the ISP established pursuant to Gramm-Leach-Bliley statutes, rules, regulations, procedures, or guidelines.
Annual certification and exemption forms are to be submitted through the Cybersecurity Certification Module in the Industry Access Portal, found at
https://ia.ldi.state.la.us/industryaccess/.
Any questions regarding Bulletin 2021-04 or the certification or exemption forms should be submitted to
cyber.questions@ldi.la.gov.