AB 819 WI 2019

Session
2019
Sponsors
Name R Kevin David Petersen
Name R Adam Neylon
Name R Cindi R. Duchow

Title

Relating to: imposing requirements related to insurance data cybersecurity and granting rule-making authority. (FE)

Summary

Analysis by the Legislative Reference Bureau This bill imposes requirements relating to the protection of nonpublic information on insurers and other persons regulated by the Office of the Commissioner of Insurance (licensees). The bill defines “nonpublic information” to mean nonpublic electronic information in the possession, custody, or control of a licensee that is either information concerning a Wisconsin resident that can be used to identify the individual in combination with another data element, such as a Social Security number, or certain health-related information that can be used to identify a Wisconsin resident. Under the bill, a licensee must conduct a risk assessment and develop an information security program based on the assessment. The risk assessment must identify and assess reasonably foreseeable threats that could result in unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information. The information security program must contain safeguards for the protection of the licensee's information systems and nonpublic information and be designed to mitigate threats, commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, and the sensitivity of the nonpublic information. The bill requires the licensee to take specified risk mitigation 2019 - 2020 Legislature -2- LRB-4547/1 EKL:amn ASSEMBLY BILL 819 actions and to monitor, evaluate, and adjust the information security program as appropriate. The bill also requires that a licensee develop an incident response plan to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information, the licensee's information systems, or the continuing functionality of the licensee's business or operations. Under the bill, “cybersecurity event” generally means an event resulting in the unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system. The bill further requires that a licensee exercise due diligence in selecting third-party service providers and make reasonable efforts to require that a service provider implement measures to protect and secure information systems and nonpublic information and report the occurrence of any cybersecurity event. Under the bill, the above requirements do not apply to a licensee who has less than $10 million in year-end total assets, less than $5 million in gross annual revenue, or fewer than 25 full-time employees. However, the commissioner may issue an order to require compliance by an otherwise exempt licensee if warranted by the licensee's circumstances. A licensee who is not exempt from the requirements must annually certify to the commissioner that the licensee has complied with them. Additionally, if a licensee knows that a cybersecurity event has or may have occurred, the bill requires that the licensee conduct a prompt investigation to assess the nature and scope of the event and take related actions, including the performance of reasonable measures to restore the security of affected information systems. If the cybersecurity event involves an information system maintained by a third-party service provider, the licensee must comply with the investigation requirements or make reasonable efforts to confirm that the service provider has either complied with the requirements or failed to cooperate with the investigation. Under the bill, a licensee must notify the commissioner of a cybersecurity event if either of the following conditions is met: 1. The licensee is domiciled in Wisconsin and the cybersecurity event has a reasonable likelihood of materially harming a Wisconsin resident or a material part of the licensee's normal operations. 2. The licensee reasonably believes that the cybersecurity event involves the nonpublic information of at least 250 Wisconsin residents, and the cybersecurity event either must be reported to a government entity under federal or state law or has a reasonable likelihood of materially harming a Wisconsin resident or a material part of the licensee's normal operations. The notification must provide specified information about the cybersecurity event, including details about the event and its discovery, a description of the accessed nonpublic information, the number of affected Wisconsin residents, and the licensee's efforts to address the circumstances that allowed the event to occur. The licensee is required to update the commissioner on material changes to the information and as additional information becomes available. If the cybersecurity event involves a third-party service provider, the licensee must notify the commissioner of the event unless the service provider does so. LRB-4547/1 2019 - 2020 Legislature -3- EKL:amn ASSEMBLY BILL 819 Under the bill, the commissioner has the power to examine and investigate the affairs of a licensee to determine whether a violation of any of the above requirements has occurred. A licensee must generally keep records relating to the requirements for at least five years and produce them upon demand of the commissioner. Any documents, materials, and other information from a licensee that are in the possession or control of the commissioner are confidential and privileged. For further information see the state fiscal estimate, which will be printed as an appendix to this bill.

Bill Text

Bill Activity

  • Failed to concur in pursuant to Senate Joint Resolution 1

  • Available for scheduling

  • Read first time and referred to committee on Senate Organization

  • Received from Assembly

  • Ordered immediately messaged

  • Passed Read a third time and passed

  • Rules suspended

  • Ordered to a third reading

  • Assembly Amendment 1 adopted

  • Read a second time

  • Placed on calendar 2-18-2020 by Committee on Rules

  • Referred to committee on Rules

  • Report passage as amended recommended by Committee on Science and Technology, Ayes 8, Noes 0

  • Report Assembly Amendment 1 adoption recommended by Committee on Science and Technology, Ayes 5, Noes 0

  • Executive action taken

  • Assembly Amendment 1 offered by Representative Petersen

  • Fiscal estimate received

  • Public hearing held

  • Fiscal estimate received

  • LRB correction

  • Read first time and referred to Committee on Science and Technology

  • Introduced by Representatives Petersen, Neylon and Duchow; cosponsored by Senators Testin, Feyen and Olsen

Votes

lower chamber:
Report Assembly Amendment 1 adoption recommended by Committee on Science and Technology, Ayes 5, Noes 0
lower chamber:
Report passage as amended recommended by Committee on Science and Technology, Ayes 8, Noes 0