The Pennsylvania Insurance Data Security Act
The Pennsylvania Insurance Data Security Act: A Crucial Guide for Insurance Agencies

On June 22nd 2023, a game-changing law was signed by Governor Josh Shapiro. Known as the Pennsylvania Insurance Data Security Act (PIDSA), this law is a big step in boosting cybersecurity within the insurance industry. Let’s break down what insurance agencies need to know and do to make sure they’re in line with this new rule.

What is PIDSA All About?

PIDSA is a new law that focuses on protecting the sensitive information of insurance customers. It’s like a safety net, making sure that insurance companies and agents keep their cybersecurity defenses strong. This law got a thumbs-up from everyone – both sides of the political aisle were on board. 

Here is what insurance folks must do under PIDSA: 

  1. Risk Assessments: This means taking a close look at the company’s systems to spot any weak points where hackers could break in. Agencies need to figure out what kind of cyber threats are out there, how likely they are to happen, and how bad it would be if they did. 
  2. Information Security Programs: Based on what they find in the risk assessments, agencies need to build strong security programs. These programs should be aimed at fixing any weak points, stopping cyberattacks, and having a game plan for bouncing back if an attack does happen.
  3. Notify the Insurance Commissioner: If a cyberattack occurs and customer information is at risk, agencies can’t sit on this information. They must tell the Insurance Commissioner within five business days.

These steps are all about making the insurance world more prepared and quicker on its feet when it comes to cyberattacks and online crimes.

Joining the Larger Effort

It’s not just Pennsylvania thinking about this – there’s a national push to get the insurance industry to tighten up cybersecurity. PIDSA is based on a model set by the National Association of Insurance Commissioners (NAIC) in 2017. With this law, Pennsylvania becomes the 22nd state to join the club. 

Why This Matters - Big Time!

Cybercrime is getting worse, and insurance companies are like treasure chests full of the personal information that hackers love. In 2022, cybercrime cost people in the US over $10.3 billion. That’s not small change – and it’s up 49% from the year before. Pennsylvania had more people affected by cybercrime than several countries combined. Insurance agencies must get serious about cybersecurity. 

Steps to Get With the Program

Insurance agencies should start by taking that deep dive into their cybersecurity – that’s the risk assessment. They’ll need to create their security programs based on what they find. 

Next, it’s essential to have a solid plan for what to do if a cyberattack happens. This includes how to fix things and learn from what happened. 

Agencies also need to know how and when to report any attacks to the Insurance Commissioner. 

Staying aware is important, too. Cybersecurity is always changing, so agencies should keep an eye on new rules and the best ways to keep data safe, both for the agency itself and for their clients.

Deeper Dive

  1. Assemble a Cybersecurity Team: Appoint qualified individuals or hire external consultants with expertise in cybersecurity to oversee compliance with PIDSA. 
  2. Conduct a Risk Assessment:  
     a. Inventory all systems and data that store sensitive customer information.  
     b. Identify potential vulnerabilities and threats to these systems.  
     c. Assess the likelihood and potential impact of these threats.  
     d. Document the findings and propose mitigation strategies. 
  3. Develop an Information Security Program:  
     a. Create policies and procedures based on the risk assessment findings.  
     b. Implement security measures to address identified vulnerabilities (e.g., firewalls, encryption).  
     c. Establish access controls to limit who can access sensitive information.  
     d. Develop an incident response plan that outlines the steps to take in case of a cyberattack.
  4. Monitor and Test Security Measures:  
     a. Regularly monitor systems for signs of unauthorized or suspicious activity.  
     b. Conduct periodic penetration testing to evaluate the effectiveness of security measures.  
     c. Update security measures as needed based on monitoring and testing results.
  5. Create a Cyber Incident Response Plan:  
     a. Designate roles and responsibilities for responding to incidents.  
     b. Establish communication protocols for internal and external communications during an incident.  
     c. Outline steps for containment, eradication, and recovery from a cyber incident.  
     d. Develop a process for post-incident analysis to learn from the event and improve response plans.
  6. Establish a Notification Process
     a. Develop procedures for identifying when customer information has been compromised.  
     b. Create templates for notification to the Insurance Commissioner.  
     c. Ensure that notifications are sent within five business days of identifying a cyberattack as per PIDSA.
  7. Maintain Compliance Documentation:  
     a. Keep records of risk assessments, security measures, training programs, and incident responses.  
     b. Ensure that documentation is available for compliance verification and audits.
  8. Encrypt PII Data and Emails:  
     a. Use encryption technologies for data at rest and for data in transit, including emails.  
     b. Develop a strategy for securely managing encryption keys.  
     c. Restrict access to encrypted data to authorized personnel only.
  9. Employee Training Against Phishing and Social Engineering:  
     a. Provide training on recognizing and handling phishing emails and social engineering tactics.  
    b. Conduct simulated attacks to test awareness and provide feedback.  
    c. Encourage employees to report suspicious activity without fear of repercussions.
  10. Stay Informed:  
     a. Regularly check for updates and changes to PIDSA.  
     b. Continually improve your cybersecurity program by staying informed of emerging threats and best practices in the industry.

Wrapping It Up

The Pennsylvania Insurance Data Security Act is important for protecting data in the insurance world. Agencies need to get on board fast – not just to follow the law but to protect their customers and themselves from the tsunami of cyber threats. This is a nationwide movement, and being proactive in cybersecurity is the new gold standard.

A Special Invitation: Find Out Your Cybersecurity Standing

Staying ahead in cybersecurity is vital. It’s essential not only for compliance but also for the integrity and trustworthiness of your agency.  

Don’t leave it to chance. Take this decisive step to understand your current cybersecurity landscape and identify areas that need reinforcement. Our expert team will provide you with invaluable insights and recommendations. 

Click here to book your FREE confidential cybersecurity assessment. 

Walter-Contreras

Walter Contreras

Walter Contreras has over 25 years of experience in information technology, including cybersecurity, with a focus on the Insurance Industry. As both a computer scientist and a graduate of the Columbia University Business School’s Executive MBA program, Walter understands how the world’s digital transformation is impacting small and medium businesses. His mission is to deploy information technology to protect and empower entrepreneurs.

Related blogs