Governor Kay Ivey signed law, making Alabama the latest state to pass a law mandating heightened standards within the insurance industry for cybersecurity and data privacy. The Insurance Information Security Program Requirement applies specifically to insurers and other entities licensed by the Alabama Department of Insurance (DOI). The law requires insurers to develop and implement an information security program, report certain cybersecurity events to the Commissioner of Insurance (Commissioner), and provides for civil penalties under certain conditions. into
Licensees have until May 1, 2020, to implement the statute’s information security requirements, and until May 1, 2021, to implement the statute’s required controls for third-party service providers.
S.B. 54 expands upon Alabama’s existing data privacy laws for insurers by a) differentiating the definition of personal information, b) requiring notification to the Commissioner for cybersecurity events, c) requiring that applicable insurers develop, implement and maintain a written information security policy, and d) expanding the power of the Commissioner to monitor compliance and execute penalties for non-compliance.
The following exceptions shall apply to this act:
(1) A licensee is exempt from Section 4 of this act if any of the following criteria apply:
- The licensee has fewer than 25 employees.
- The licensee has less than $5 million in gross annual revenue.
- The license has less than $10 million in year-end total assets.
Find out how NXTsoft can help Alabama insurance agents comply with and assist with cybersecurity requirements required by this law. Get more information on how NXTsoft can help your insurance agency with cybersecurity!