Regular Session 2021-2022 House Bill 2499 P.N. 3448

PRIOR PRINTER'S NO. 2950

PRINTER'S NO. 3448

THE GENERAL ASSEMBLY OF PENNSYLVANIA

HOUSE BILL

No.

2499

Session of

2022

INTRODUCED BY PICKETT, DeLUCA, CIRESI, GUZMAN, HENNESSEY,

MENTZER, MILLARD, B. MILLER, OTTEN, RYAN, THOMAS AND

ZIMMERMAN, APRIL 8, 2022

AS REPORTED FROM COMMITTEE ON INSURANCE, HOUSE OF

REPRESENTATIVES, AS AMENDED, SEPTEMBER 12, 2022

AN ACT

Amending Title 40 (Insurance) of the Pennsylvania Consolidated

Statutes, in regulation of insurers and related persons

generally, providing for insurance data security; IN RESERVE

LIABILITIES, REPEALING PROVISIONS RELATING TO SMALL COMPANY

EXEMPTION AND PROVIDING FOR ADOPTION OF EXEMPTION STANDARDS

OF NAIC VALUATION MANUAL; and establishing penalties.

The General Assembly of the Commonwealth of Pennsylvania

hereby enacts as follows:

Section 1. Title 40 of the Pennsylvania Consolidated

Statutes is amended by adding a chapter to read:

CHAPTER 45

INSURANCE DATA SECURITY

Subchapter

A. Preliminary Provisions

B. Procedures

C. Enforcement

D. Miscellaneous Provisions

SUBCHAPTER A

PRELIMINARY PROVISIONS

<--

Sec.

4501. Scope of chapter.

4502. Definitions.

§ 4501. Scope of chapter.

This chapter relates to insurance data security.

§ 4502. Definitions.

The following words and phrases when used in this chapter

shall have the meanings given to them in this section unless the

context clearly indicates otherwise:

"Authorized individual." An individual known to and screened

by a licensee and determined to be necessary and appropriate to

have access to the nonpublic information held by the licensee

and its information systems.

"Commissioner." The Insurance Commissioner of the

Commonwealth.

"Consumer." An individual, including an applicant,

policyholder, insured, beneficiary, claimant or certificate

holder, who is a resident of this Commonwealth and whose

nonpublic information is in a licensee's possession, custody or

control.

"Cybersecurity event." As follows:

(1) An event resulting in unauthorized access to,

disruption of or misuse of an information system or nonpublic

information stored on the information system.

(2) The term does not include:

(i) The unauthorized acquisition of encrypted

nonpublic information if the encryption, process or key

is not also acquired, released or used without

authorization.

(ii) An event in which the licensee has determined

20220HB2499PN3448 - 2 -

that the nonpublic information accessed by an

unauthorized person has not been used or released and has

been returned or destroyed.

"Department." The Insurance Department of the Commonwealth.

"Encrypted." The transformation of data into a form that has

a low probability of assignment of meaning without the use of a

protective process or key.

"Information security program." The administrative,

technical and physical safeguards that a licensee uses to

access, collect, distribute, process, protect, store, use,

transmit, dispose of or otherwise handle nonpublic information.

"Information system." Any of the following:

(1) A discrete set of information resources that is

stored in an electronic system and is organized for the

collection, processing, maintenance, use, sharing,

dissemination or disposition of electronic nonpublic

information.

(2) Any specialized system such as an industrial or

process control system, telephone switching and private

branch exchange system or an environmental control system.

"Insurer." A n insurance company, association, exchange,

interinsurance exchange, health maintenance organization,

preferred provider organization, professional health services

plan corporation subject to Chapter 63 (relating to professional

health services plan corporations), a hospital plan corporation

subject to Chapter 61 (relating to hospital plan corporations),

fraternal benefit society, beneficial association, Lloyd's

insurer or health plan corporation.

"Licensee." As follows:

(1) A person that is or is required to be licensed,

20220HB2499PN3448 - 3 -

authorized to operate or registered under the insurance laws

of this Commonwealth.

(2) The term does not include:

(i) A purchasing group or risk retention group as

defined in section 1502 of the act of May 17, 1921

(P.L.682, No.284), known as The Insurance Company Law of

1921, that is chartered and licensed in a state other

than this Commonwealth.

(ii) A person that is acting as an assuming insurer

that is domiciled in another state or jurisdiction.

"Multifactor authentication." Authentication through

verification of at least two of the following types of

authentication factors:

(1) Knowledge factors, such as a password.

(2) Possession factors, such as a token or text message

on a mobile telephone.

(3) Inherence factors, such as a biometric

characteristic.

"Nonpublic information." Information that is stored or

maintained in an electronic system, is not publicly available

information and is any of the following:

(1) Business-related information of a licensee that

would cause a materially adverse impact to the business,

operations or security of the licensee if the information is

tampered with, accessed, used or subject to unauthorized

disclosure.

(2) Information concerning a consumer that because of a

name, number, personal mark or other identifier, can be used

to identify the consumer, in combination with any one or more

of the following data elements:

20220HB2499PN3448 - 4 -

(i) Social Security number.

(ii) Driver's license number or nondriver

identification card number.

(iii) Financial account number, credit card number

or debit card number.

(iv) A security code, access code or password that

would permit access to a consumer's financial account.

(v) Biometric records.

(3) Information or data, except age or gender, in any

form or medium created by or derived from a health care

provider or a consumer that can be used to identify a

particular consumer and that relates to any of the following:

(i) The past, present or future physical, mental or

behavioral health or condition of a consumer or a member

of the consumer's family.

(ii) The provision of health care to any consumer.

(iii) Payment for the provision of health care to

any consumer.

"Person." An individual or nongovernmental entity, including

a nongovernmental partnership, corporation, branch, agency or

association.

"Publicly available information." Information that a

licensee has a reasonable basis to believe is lawfully made

available to the general public from any of the following:

(1) Federal, State or local government records.

(2) Widely distributed media.

(3) Disclosures to the general public that are required

to be made in accordance with Federal, State or local law.

"Risk assessment." The assessment that each licensee is

required to conduct under section 4512 (relating to risk

20220HB2499PN3448 - 5 -

assessment).

"Third-party service provider." As follows:

(1) A person that contracts with a licensee to maintain,

process or store, or is otherwise permitted to access,

nonpublic information through its provision of services to

the licensee.

(2) The term does not include a licensee.

SUBCHAPTER B

PROCEDURES

Sec.

4511. Differentiation between types of information.

4512. Risk assessment.

4513. Information security program.

4514. Corporate oversight.

4515. Oversight of third-party service provider arrangements.

4516. Certification.

4517. Investigation of cybersecurity event.

4518. Notification of cybersecurity event.

§ 4511. Differentiation between types of information.

For purposes of determining what constitutes publicly

available information, a licensee is deemed to have a reasonable

basis to believe that information is lawfully made available to

the general public if the licensee has taken steps to determine:

(1) that the information is of the type that is

available to the general public; and

(2) whether a consumer is able to direct that the

information not be made available to the general public and,

if so, that the consumer has not done so.

§ 4512. Risk assessment.

A licensee shall conduct a risk assessment, which must:

20220HB2499PN3448 - 6 -

(1) Identify reasonably foreseeable internal or external

threats that could result in unauthorized access,

transmission, disclosure, misuse, alteration or destruction

of nonpublic information, including the security of

information systems and nonpublic information that are

accessible to, or held by, third-party service providers.

(2) Assess the likelihood and potential damage of

threats, taking into consideration the sensitivity of the

nonpublic information.

(3) Assess the sufficiency of policies, procedures,

information systems and other safeguards in place to manage

threats in each relevant area of the licensee's operations,

including:

(i) Employee training and management.

(ii) Information systems, including network and

software design and information classification,

governance, processing, storage, transmission and

disposal.

(iii) Detection, prevention and response to attacks,

intrusions or other system failures.

(4) Implement information safeguards to manage the

threats identified in its ongoing assessment.

(5) At least annually, assess the effectiveness of the

safeguards' key controls, systems and procedures.

§ 4513. Information security program.

(a) Requirement for implementation and objectives.--Each

licensee shall develop, implement and maintain a comprehensive

written information security program based on the licensee's

risk assessment that:

(1) Contains administrative, technical and physical

20220HB2499PN3448 - 7 -

safeguards for the protection of nonpublic information and

the licensee's information systems.

(2) Is commensurate with the following:

(i) The size and complexity of the licensee.

(ii) The nature and scope of the licensee's

activities, including the licensee's use of third-party

service providers.

(iii) The sensitivity of the nonpublic information

used by the licensee or in the licensee's possession,

custody or control.

(3) Is designed to protect:

(i) The security and confidentiality of nonpublic

information and the security of the information systems.

(ii) Against any threats or hazards to the security

or integrity of nonpublic information and the information

systems.

(iii) Against unauthorized access to or use of

nonpublic information and that minimizes the likelihood

of harm to a consumer.

(4) Defines and periodically reevaluates a schedule for

retention of nonpublic information and a mechanism for its

destruction when no longer needed.

(b) Designation of responsibility.--A licensee shall

designate one or more employees, an affiliate or an outside

vendor to act on behalf of the licensee who shall be responsible

for the information security program of the licensee.

security program based on its risk assessment and shall:

(1) Design its information security program to mitigate

the identified risks, in a manner that is commensurate with

20220HB2499PN3448 - 8 -

the following:

(i) The size and complexity of the licensee.

(ii) The nature and scope of the licensee's

activities, including the licensee's use of third-party

service providers.

(iii) The sensitivity of the nonpublic information

used by the licensee or in the licensee's possession,

custody or control.

(2) Determine which security measures are appropriate

and implement the security measures by:

(i) Placing access controls on information systems,

including controls to authenticate and permit access only

to authorized individuals to protect against the

unauthorized acquisition of nonpublic information.

(ii) Identifying and managing the data, personnel,

devices, systems and facilities that enable the licensee

to achieve business purposes in accordance with their

relative importance to business objectives and the

licensee's risk strategy.

(iii) Restricting physical access to nonpublic

information only to authorized individuals.

(iv) Protecting, by encryption or other appropriate

means, all nonpublic information transmitted over an

external network and all nonpublic information stored on

a laptop computer or other portable computing or storage

device or media.

(v) Adopting secure development practices for in-

house developed applications utilized by the licensee.

(vi) Modifying the information systems in accordance

with the licensee's information security program.

20220HB2499PN3448 - 9 -

(vii) Utilizing effective controls, which may

include multifactor authentication procedures, for any

employees accessing nonpublic information.

(viii) Regularly testing and monitoring systems and

procedures to detect actual and attempted attacks on, or

intrusions into, information systems.

(ix) Including audit trails within the information

security program designed to detect and respond to

cybersecurity events and designed to reconstruct material

financial transactions sufficient to support normal

operations and obligations of the licensee.

(x) Implementing measures to protect against

destruction, loss or damage of nonpublic information due

to environmental hazards, such as fire and water damage

or other catastrophes or technological failures.

(xi) Developing, implementing and maintaining

procedures for the secure disposal of nonpublic

information in any format.

(3) Include cybersecurity risks in the licensee's

enterprise risk management process.

(4) Stay informed regarding emerging threats or

vulnerabilities and utilize security measures when sharing

information relative to the character of the sharing and the

type of information shared.

(5) Provide its personnel with cybersecurity awareness

training that is updated as necessary to reflect risks

identified by the licensee in the risk assessment.

(d) Monitoring, evaluation and adjustment.--A licensee shall

monitor, evaluate and adjust, as appropriate, the information

security program consistent with:

20220HB2499PN3448 - 10 -

(1) Any relevant changes in technology.

(2) The sensitivity of the licensee's nonpublic

information.

(3) Internal or external threats to information.

(4) The licensee's own changing business arrangements,

such as mergers and acquisitions, alliances and joint

ventures, outsourcing arrangements and changes to information

systems.

(e) Incident response plan.--As part of its information

security program, each licensee shall establish and maintain a

written incident response plan designed to promptly respond to,

and recover from, any cybersecurity event that compromises the

confidentiality, integrity or availability of nonpublic

information in its possession, the licensee's information

systems or the continuing functionality of any aspect of the

licensee's business or operations. The incident response plan

shall address the following areas:

(1) The internal process for responding to a

cybersecurity event.

(2) The goals of the incident response plan.

(3) The definition of clear roles, responsibilities and

levels of decision-making authority.

(4) External and internal communications and information

sharing.

(5) Identification of requirements for the remediation

of any identified weaknesses in information systems and

associated controls.

(6) Documentation and reporting regarding cybersecurity

events and related incident response activities.

(7) The evaluation and revision of the incident response

20220HB2499PN3448 - 11 -

plan following a cybersecurity event, as necessary.

§ 4514. Corporate oversight.

(a) Duties.--If a licensee has a board of directors, the

board or an appropriate committee of the board shall, at a

minimum:

(1) Require the licensee's executive management or

delegates to develop, implement and maintain the licensee's

information security program.

(2) Require the licensee's executive management or

delegates to report in writing at least annually, the

following information:

(i) The overall status of the information security

program and the licensee's compliance with this chapter.

(ii) Material matters related to the information

security program, addressing issues such as:

(A) Risk assessment, risk management and control

decisions.

(B) Third-party service provider arrangements.

(D) Cybersecurity events.

(E) Any violation of this chapter and

management's responses to the violation.

(F) Recommendations for changes in the

information security program.

(b) Delegation.--If the executive management of a licensee

delegates any of its responsibilities under this section or

section 4512 (relating to risk assessment), 4513 (relating to

information security program) or 4515 (relating to oversight of

third-party service provider arrangements) , the executive

management shall oversee the development, implementation and

20220HB2499PN3448 - 12 -

maintenance of the licensee's information security program

prepared by the delegated entity, which shall provide a written

report to the executive management in accordance with the

reporting requirements of this chapter.

§ 4515. Oversight of third-party service provider arrangements.

A licensee shall:

(1) Exercise due diligence in selecting its third-party

service provider.

(2) Require a third-party service provider to implement

appropriate administrative, technical and physical measures

to protect and secure the information systems and nonpublic

information that are accessible to, or held by, the third-

party service provider.

§ 4516. Certification.

(a) Requirement.--No later than the April 15 that is at

least one year after the effective date of this section, and

each April 15 thereafter, each insurer domiciled in this

Commonwealth shall submit to the commissioner, in the form and

manner prescribed by the department, a written statement

certifying that the insurer is in compliance with the

requirements of sections 4512 (relating to risk assessment),

4513 (relating to information security program), 4514 (relating

to corporate oversight) and 4515 (relating to oversight of

third-party service provider arrangements).

(b) Documentation.--

(1) Each insurer shall maintain all records, schedules

and data supporting the certification under this section for

a period of five years and shall make that information

available for examination by the department.

(2) To the extent that an insurer has identified areas,

20220HB2499PN3448 - 13 -

systems or processes that require material improvement,

updating or redesign, the insurer shall document the

identification and the remedial efforts planned and underway

to address the areas, systems or processes. The documentation

shall be available for inspection by the department.

§ 4517. Investigation of cybersecurity event.

(a) Requirement.--If a licensee discovers that a

cybersecurity event has or may have occurred regarding the

licensee, the licensee or an outside vendor or service provider

designated to act on behalf of the licensee shall conduct a

prompt investigation.

(b) Determination.--During an investigation under this

section, the licensee or an outside vendor or service provider

designated to act on behalf of the licensee shall, at a minimum,

do as much of the following as possible:

(1) Determine whether a cybersecurity event has

occurred.

(2) Assess the nature and scope of the cybersecurity

event.

(3) Identify any nonpublic information that may have

been involved in the cybersecurity event.

(4) Perform or oversee reasonable measures to restore

the security of the information systems compromised in the

cybersecurity event in order to prevent further unauthorized

acquisition, release or use of nonpublic information in the

licensee's possession, custody or control.

that a cybersecurity event has or may have occurred in a system

maintained by a third-party service provider, the licensee shall

complete the steps specified in subsection (b) or confirm and

20220HB2499PN3448 - 14 -

document that the third-party service provider has completed

those steps.

(d) Records.--A licensee shall maintain records concerning

all cybersecurity events for a period of at least five years

from the date of the cybersecurity event and shall produce those

records upon demand of the commissioner.

§ 4518. Notification of cybersecurity event.

(a) Notification to commissioner.--A licensee shall notify

the commissioner as promptly as possible, but in no event later

than three FIVE business days from a determination, that a

cybersecurity event involving nonpublic information that is in

the possession of the licensee has occurred when either of the

following criteria have been met:

(1) The cybersecurity event has a reasonable likelihood

of materially harming a consumer residing in this

Commonwealth or any material part of the normal operations of

the licensee and either:

(i) in the case of an insurer, this Commonwealth is

the insurer's state of domicile; or

(ii) in the case of an insurance producer, as

defined in section 601-A of the act of May 17, 1921

(P.L.789, No.285), known as The Insurance Department Act

of 1921, this Commonwealth is the insurance producer's

home state.

(2) The licensee reasonably believes that the nonpublic

information involves 250 or more consumers residing in this

Commonwealth and the cybersecurity event:

(i) impacts the licensee of which notice is required

to be provided to a governmental body, self-regulatory

agency or another supervisory body under any Federal or

20220HB2499PN3448 - 15 -

<--

State law; or

(ii) has a reasonable likelihood of materially

harming a consumer residing in this Commonwealth or any

material part of the normal operations of the licensee.

(b) Content of notification.--As part of the notification

under this section, a licensee shall provide as much of the

following information as possible in electronic form:

(1) The date of the cybersecurity event.

(2) A description of how the information was exposed,

lost, stolen or breached, including the specific roles and

responsibilities of third-party service providers, if any.

(3) How the cybersecurity event was discovered.

(4) Whether any lost, stolen or breached information has

been recovered and, if so, how this was done.

(5) The identity of the source of the cybersecurity

event.

(6) Whether the licensee has filed a police report or

has notified any regulatory, governmental or law enforcement

agency and, if so, when the notification was provided.

(7) A description of the specific types of information

acquired without authorization, including particular data

elements such as the types of medical information, financial

information or other types of information allowing

identification of the consumer.

(8) The period during which the information systems were

compromised by the cybersecurity event.

(9) The number of total consumers in this Commonwealth

affected by the cybersecurity event. The licensee shall

provide the best estimate in the initial report to the

commissioner and update this estimate with each subsequent

20220HB2499PN3448 - 16 -

report to the commissioner under this section.

(10) The results of any internal review identifying a

lapse in either automated controls or internal procedures or

confirming that all automated controls or internal procedures

were followed.

(11) A description of efforts being undertaken to

remediate the situation that permitted the cybersecurity

event to occur.

(12) A copy of the licensee's privacy policy and a

statement outlining the steps that the licensee will take to

investigate and notify consumers affected by the

cybersecurity event.

(13) The name of a contact person familiar with the

cybersecurity event and authorized to act for the licensee.

continuing obligation to update and supplement initial and

subsequent notifications to the commissioner regarding material

changes to previously provided information relating to a

cybersecurity event.

(d) Other notices required.--A licensee shall comply with

section 3 of the act of December 22, 2005 (P.L.474, No.94),

known as the Breach of Personal Information Notification Act, as

applicable, and provide a copy of the notice sent to consumers

under the Breach of Personal Information Notification Act to the

commissioner, whenever the licensee is required to notify the

commissioner under subsection (a).

(e) Notice regarding cybersecurity events of third-party

service providers.--

(1) In the case of a cybersecurity event in a system

maintained by a third-party service provider of which the

20220HB2499PN3448 - 17 -

licensee has become aware, the licensee shall treat the event

as it would under subsection (a) unless the third-party

service provider provides the notice required under

subsection (a) directly to the commissioner.

(2) The computation of a licensee's deadlines under this

section shall begin on the day after the third-party service

provider notifies the licensee of the cybersecurity event or

the licensee otherwise has actual knowledge of the

cybersecurity event, whichever is sooner.

(f) Notice regarding cybersecurity events of reinsurers to

insurers.--

(1) In the case of a cybersecurity event involving

nonpublic information that is used by a licensee, which is

acting as an assuming insurer, or that is in the possession,

custody or control of a licensee, which is acting as an

assuming insurer and which does not have a direct contractual

relationship with the affected consumers, the assuming

insurer shall notify its affected ceding insurers and the

commissioner of its state of domicile within three business

days of making the determination that a cybersecurity event

has occurred. The ceding insurers that have a direct

contractual relationship with the affected consumers shall

fulfill the consumer notification requirements imposed under

section 3 of the Breach of Personal Information Notification

Act and any other notification requirements relating to a

cybersecurity event imposed under this section.

(2) In the case of a cybersecurity event involving

nonpublic information that is in the possession, custody or

control of a third-party service provider of a licensee that

is an assuming insurer, the assuming insurer shall notify its

20220HB2499PN3448 - 18 -

affected ceding insurers and the commissioner of its state of

domicile within three business days of receiving notice from

its third-party service provider that a cybersecurity event

has occurred. The ceding insurers that have a direct

contractual relationship with the affected consumers shall

fulfill the consumer notification requirements imposed under

section 3 of the Breach of Personal Information Notification

Act and any other notification requirements relating to a

cybersecurity event imposed under this section.

(3) A licensee acting as an assuming insurer shall have

no other notice obligations relating to a cybersecurity event

or other data breach under this section or any other law of

this Commonwealth.

(g) Notice regarding cybersecurity events of insurers to

producers of record.--In the case of a cybersecurity event

involving nonpublic information in the possession, custody or

control of a licensee that is an insurer or its third-party

service provider for which a consumer accessed the insurer's

services through an insurance producer, and for which consumer

notice is required under section 3 of the Breach of Personal

Information Notification Act, the insurer shall notify the

producers of record of all affected consumers of the

cybersecurity event no later than the time at which notice is

provided to the affected consumers. The insurer shall be excused

from this obligation in those instances in which the insurer

does not have the current producer of record information for an

individual consumer.

SUBCHAPTER C

ENFORCEMENT

Sec.

20220HB2499PN3448 - 19 -

4521. Power to examine licensees.

4522. Penalties.

§ 4521. Power to examine licensees.

(a) Insurers.--The commissioner shall have the powers

provided under Article IX of the act of May 17, 1921 (P.L.789,

No.285), known as The Insurance Department Act of 1921, to

examine and investigate an insurer to determine whether the

insurer has been or is engaged in conduct in violation of

section 4512 (relating to risk assessment), 4513 (relating to

information security program), 4514 (relating to corporate

oversight), 4515 (relating to oversight of third-party service

provider arrangements) or 4516 (relating to certification).

(b) Licensees other than insurers.--

(1) The commissioner shall have the power to examine and

investigate a licensee not subject to Article IX of The

Insurance Department Act of 1921 to determine whether the

licensee has engaged in conduct in violation of this chapter.

(2) Each licensee subject to examination in accordance

with paragraph (1) shall keep all books, records, accounts,

papers, documents and any computer or other recordings

relating to compliance with this chapter in the manner and

time periods as the department, in its discretion, may

require in order that the department's authorized

representatives may verify and ascertain whether the company

or person has complied with the requirements of this chapter.

(3) Each licensee subject to examination in accordance

with paragraph (1) from whom information is sought and the

officers, directors, employees and agents of the licensee

shall provide to the examiners timely, convenient and free

access at all reasonable hours at the licensee's offices to

20220HB2499PN3448 - 20 -

all books, records, accounts, papers, documents and any

computer or other recordings relating to the property,

assets, business and affairs of the licensee being examined.

The following apply:

(i) The officers, directors, employees and agents of

the licensee shall facilitate the examination and aid in

the examination insofar as it is in their power to do so.

(ii) The refusal of a licensee by its officers,

directors, employees or agents to submit to examination

or to comply with any reasonable written request of the

examiners shall be grounds for suspension, revocation,

refusal or nonrenewal of any license or authority held by

the licensee to engage in an insurance or other business

subject to the department's jurisdiction.

(iii) A proceeding for suspension, revocation,

refusal or nonrenewal of any license or authority shall

be conducted in accordance with 2 Pa.C.S. (relating to

administrative law and procedure).

in addition to the powers specified under this section, whenever

the commissioner has reason to believe that a licensee has been

or is engaged in conduct in this Commonwealth that violates this

chapter, the commissioner may take an action that is necessary

or appropriate to enforce the provisions of this chapter.

§ 4522. Penalties.

Upon the determination, after notice and hearing, that this

chapter has been violated, the commissioner may impose the

following penalties:

(1) Suspension or revocation of the licensee's license,

authorization to operate or registration.

20220HB2499PN3448 - 21 -

(2) Refusal to issue or renew a license, authorization

to operate or registration.

(3) A cease and desist order.

(4) For each violation of this chapter that a licensee

knew or reasonably should have known was a violation, a

penalty of not more than $5,000, not to exceed an aggregate

penalty of $100,000 in a single calendar year.

(5) For each violation of this chapter that a licensee

did not know nor reasonably should have known was a

violation, a penalty of not more than $1,000, not to exceed

an aggregate penalty of $20,000 in a single calendar year.

SUBCHAPTER D

MISCELLANEOUS PROVISIONS

Sec.

4531. Confidentiality.

4532. Exemptions.

4533. Rules and regulations.

4534. Construction with other laws.

4535. Prevention or abrogation of agreements.

4536. Initial compliance.

§ 4531. Confidentiality.

(a) Requirement.--All information, documents, materials and

copies thereof in the possession or control of the department

that are produced by, obtained by or disclosed to the department

or any other person in the course of an examination or

investigation under this chapter shall be privileged and given

confidential treatment and:

(1) Shall not be subject to discovery or admissible in

evidence in a private civil action.

(2) Shall not be subject to subpoena.

20220HB2499PN3448 - 22 -

(3) Shall be exempt from access under the act of

February 14, 2008 (P.L.6, No.3), known as the Right-to-Know

Law.

(4) Shall not be made public by the department or any

other person, except to regulatory or law enforcement

officials of other jurisdictions, without the prior written

consent of the licensee to which it pertains, except as

provided in subsection (c).

(b) Civil actions.--The commissioner, department or any

person that receives documents, materials or other information

while acting under the authority of the commissioner or

department or with whom the documents, materials or other

information are shared under this chapter may not be permitted

or required to testify in a private civil action concerning

confidential documents, materials or information covered under

subsection (a).

regulatory duties under this chapter, the department:

(1) May share documents, materials or other information,

including confidential and privileged documents, materials or

other information subject to subsection (a), with the

following:

(i) Federal, state and international regulatory

agencies.

(ii) The National Association of Insurance

Commissioners and its affiliates or subsidiaries.

(iii) Federal, state and international law

enforcement authorities.

(iv) Third-party consultants , if the recipient

agrees in writing to maintain the confidentiality and

20220HB2499PN3448 - 23 -

privileged status of the documents, materials or other

information.

(2) May receive documents, materials or other

information, including otherwise confidential and privileged

documents, materials or other information, from the National

Association of Insurance Commissioners, its affiliates or

subsidiaries and from regulatory and law enforcement

officials of other foreign or domestic jurisdictions, and

shall maintain as confidential or privileged any document,

material or other information received with notice or the

understanding that it is confidential or privileged under the

laws of the jurisdiction that is the source of the document,

material or other information.

(d) No delegation.--The sharing of information by the

department under this chapter shall not constitute a delegation

of regulatory authority or rulemaking. The department shall be

solely responsible for the administration, execution and

enforcement of this chapter.

(e) No waiver of privilege or confidentiality.--The sharing

of confidential information with, to or by the department as

authorized by this chapter shall not constitute a waiver of any

applicable privilege or claim of confidentiality.

(f) Information with third parties.--Confidential

information in the possession or control of the National

Association of Insurance Commissioners or a third-party

consultant as provided under this chapter shall:

(1) Be confidential and privileged.

(2) Be exempt from access under the Right-to-Know Law.

(3) Not be subject to subpoena.

(4) Not be subject to discovery or admissible as

20220HB2499PN3448 - 24 -

evidence in a private civil action.

§ 4532. Exemptions.

(a) Licensee criteria.--A licensee meeting any of the

following criteria shall be exempt from sections 4512 (relating

to risk assessment), 4513 (relating to information security

program), 4514 (relating to corporate oversight), 4515 (relating

to oversight of third-party service provider arrangements) and

4516 (relating to certification):

(1) The licensee has fewer than 10 employees.

(2) The licensee has less than $5,000,000 in gross

revenue.

(3) The licensee has less than $10,000,000 in year-end

total assets.

(b) Federal law.--A licensee that is subject to and governed

by the privacy, security and breach notification rules issued by

the United States Department of Health and Human Services under

45 CFR Pts. 160 (relating to general administrative

requirements) and 164 (relating to security and privacy),

established in accordance with the Health Insurance Portability

and Accountability Act of 1996 (Public Law 104-191, 110 Stat.

1936) and the Health Information Technology for Economic and

Clinical Health Act (Public Law 111-5, 123 Stat. 226-279 and

467-496), and which maintains nonpublic information in the same

manner as protected health information shall be deemed to comply

with the requirements of this chapter except for the

notification requirements of section 4518(a), (b) and (c)

(relating to notification of cybersecurity event).

employee, agent, representative or designee of a licensee, who

is also a licensee, shall be exempt from sections 4512, 4513,

20220HB2499PN3448 - 25 -

4514, 4515 and 4516 and need not develop its own information

security program to the extent that the employee, agent,

representative or designee is covered by the information

security program of the other licensee.

(d) Compliance.--If a licensee ceases to qualify for an

exemption under this section, the licensee shall have 180 days

to comply with this chapter.

§ 4533. Rules and regulations.

The commissioner may issue rules and regulations necessary to

carry out the provisions of this chapter.

§ 4534. Construction with other laws.

(a) Private cause of action.--Nothing in this chapter shall

be construed to:

(1) Create or imply a private cause of action for a

violation of this chapter.

(2) Curtail a private cause of action that otherwise

exists in the absence of this chapter.

(b) Exclusive standards.--Notwithstanding any other

provision of law, this chapter shall establish the exclusive

State standards applicable to licensees for data security, the

licensees' investigation of a cybersecurity event and

notification to the commissioner.

§ 4535. Prevention or abrogation of agreements.

Nothing in this chapter shall prevent or abrogate an

agreement between a licensee and another licensee, a third-party

service provider or any other party to fulfill any of the

investigation requirements imposed under section 4517 (relating

to investigation of cybersecurity event) or notice requirements

imposed under section 4518 (relating to notification of

cybersecurity event).

20220HB2499PN3448 - 26 -

§ 4536. Initial compliance.

Licensees shall have one year from the effective date of this

section to implement sections 4512 (relating to risk

assessment), 4513 (relating to information security program),

4514 (relating to corporate oversight) and 4516 (relating to

certification) and two years from the effective date of this

section to implement section 4515 (relating to oversight of

third-party service provider arrangements).

Section 2. This act shall take effect in 180 days.

SECTION 2. SECTION 7142 OF TITLE 40 IS REPEALED:

[§ 7142. SMALL COMPANY EXEMPTION.

(A) REQUIREMENTS.--A COMPANY SEEKING AN EXEMPTION FOR ANY OF

ITS ORDINARY LIFE POLICIES ISSUED ON OR AFTER THE OPERATIVE DATE

OF THE VALUATION MANUAL MAY FILE A STATEMENT OF EXEMPTION FOR

THE CURRENT CALENDAR YEAR WITH ITS DOMESTIC COMMISSIONER PRIOR

TO JULY 1 OF THAT YEAR IF THE FOLLOWING CONDITIONS ARE MET:

(1) THE COMPANY HAS LESS THAN $300,000,000 OF ORDINARY

LIFE PREMIUMS AND, IF THE COMPANY IS A MEMBER OF AN NAIC

GROUP OF LIFE INSURERS, THE GROUP HAS COMBINED ORDINARY LIFE

PREMIUMS OF LESS THAN $600,000,000.

(2) THE COMPANY REPORTED TOTAL ADJUSTED CAPITAL OF AT

LEAST 450% OF THE AUTHORIZED CONTROL LEVEL RISK-BASED CAPITAL

IN THE MOST RECENT RISK-BASED CAPITAL REPORT. THIS PARAGRAPH

SHALL NOT APPLY TO FRATERNAL BENEFIT SOCIETIES WITH LESS THAN

$50,000,000 OF ORDINARY LIFE PREMIUMS.

(3) THE APPOINTED ACTUARY HAS PROVIDED AN UNQUALIFIED

OPINION ON THE RESERVES REPORTED IN THE MOST RECENT ANNUAL

STATEMENT.

(4) ANY UNIVERSAL LIFE SECONDARY GUARANTEE POLICIES

ISSUED OR ASSUMED BY THE COMPANY WITH AN ISSUE DATE ON OR

20220HB2499PN3448 - 27 -

<--

AFTER JANUARY 1, 2020, MEET THE DEFINITION OF A NONMATERIAL

SECONDARY GUARANTEE UNIVERSAL LIFE PRODUCT.

(B) CERTIFICATION.--THE STATEMENT OF EXEMPTION UNDER

SUBSECTION (A) MUST CERTIFY THAT:

(1) THE CONDITIONS UNDER SUBSECTION (A) ARE MET BASED ON

PREMIUMS AND OTHER VALUES FROM THE PRIOR CALENDAR YEAR'S

FINANCIAL STATEMENTS.

(2) ANY UNIVERSAL LIFE SECONDARY GUARANTEE BUSINESS

ISSUED SINCE JANUARY 1, 2020, MEETS THE DEFINITION OF A

NONMATERIAL SECONDARY GUARANTEE UNIVERSAL LIFE PRODUCT.

UNDER SUBSECTION (A) SHALL ALSO BE INCLUDED WITH THE NAIC FILING

FOR THE SECOND QUARTER OF THAT YEAR.

(D) REJECTION.--IF THE COMMISSIONER FINDS THAT THE

CONDITIONS IN SUBSECTION (A) ARE NOT MET, THE COMMISSIONER SHALL

REJECT THE STATEMENT OF EXEMPTION PRIOR TO SEPTEMBER 1. IF THE

COMMISSIONER REJECTS THE EXEMPTION OR THE COMPANY DOES NOT FILE

A STATEMENT OF EXEMPTION, THE COMPANY SHALL FOLLOW THE

REQUIREMENTS OF THE VALUATION MANUAL MINIMUM STANDARD ENTITLED

VM-20 FOR THE ORDINARY LIFE POLICIES ISSUED ON OR AFTER THE

OPERATIVE DATE OF THE VALUATION MANUAL.

(E) APPROVAL.--IF THE STATEMENT OF EXEMPTION UNDER

SUBSECTION (A) IS GRANTED, THE MINIMUM RESERVE REQUIREMENTS FOR

THE EXEMPT COMPANY'S ORDINARY LIFE POLICIES ISSUED ON OR AFTER

THE OPERATIVE DATE OF THE VALUATION MANUAL SHALL BE AS SET FORTH

IN THE VALUATION MANUAL EXCEPT FOR VM-20, BUT USING MORTALITY

TABLES AUTHORIZED BY VM-20.

(F) DEFINITIONS.--AS USED IN THIS SECTION, THE FOLLOWING

WORDS AND PHRASES SHALL HAVE THE MEANINGS GIVEN TO THEM IN THIS

SUBSECTION UNLESS THE CONTEXT CLEARLY INDICATES OTHERWISE:

20220HB2499PN3448 - 28 -

"NONMATERIAL SECONDARY GUARANTEE UNIVERSAL LIFE PRODUCT." A

UNIVERSAL LIFE PRODUCT WHERE THE SECONDARY GUARANTEE MEETS THE

FOLLOWING PARAMETERS AT THE TIME OF ISSUE:

(1) THE POLICY HAS ONLY ONE SECONDARY GUARANTEE, WHICH

IS IN THE FORM OF A REQUIRED PREMIUM CONSISTING OF EITHER A

SPECIFIED ANNUAL OR CUMULATIVE PREMIUM.

(2) THE DURATION OF THE SECONDARY GUARANTEE FOR EACH

POLICY IS NO LONGER THAN 20 YEARS FROM ISSUE THROUGH ISSUE

AGE 60, GRADING DOWN BY TWO-THIRDS YEAR FOR EACH HIGHER ISSUE

AGE TO AGE 82, AND THEREAFTER FIVE YEARS.

(3) THE PRESENT VALUE OF THE REQUIRED PREMIUM UNDER THE

SECONDARY GUARANTEE MUST BE AT LEAST AS GREAT AS THE PRESENT

VALUE OF NET PREMIUMS RESULTING FROM THE APPROPRIATE

VALUATION BASIC TABLE OVER THE COURSE OF THE MAXIMUM

SECONDARY GUARANTEE DURATION ALLOWABLE UNDER THE CONTRACT IN

AGGREGATE AND SUBJECT TO THE DURATION LIMIT UNDER PARAGRAPH

(2). THE FOLLOWING SHALL APPLY:

(I) THE PRESENT VALUE SHALL USE MINIMUM ALLOWABLE

VALUATION BASIC TABLE RATES, WHERE PREFERRED TABLES ARE

SUBJECT TO EXISTING QUALIFICATION REQUIREMENTS, AND THE

MAXIMUM VALUATION INTEREST RATE AS DEFINED IN VM-20

SECTION 3(C)(2).

(II) THE MINIMUM PREMIUMS SHALL BE THE ANNUAL

REQUIRED PREMIUMS OVER THE COURSE OF THE MAXIMUM

SECONDARY GUARANTEE DURATION.

"ORDINARY LIFE PREMIUMS." DIRECT PREMIUMS PLUS REINSURANCE

ASSUMED PREMIUMS FROM AN UNAFFILIATED COMPANY FROM THE ORDINARY

LIFE LINE OF BUSINESS REPORTED IN EXHIBIT 1-PART 1, ENTITLED

PREMIUMS AND ANNUITY CONSIDERATIONS FOR LIFE AND ACCIDENT AND

HEALTH CONTRACTS, OF THE PRIOR CALENDAR YEAR'S LIFE, ACCIDENT

20220HB2499PN3448 - 29 -

AND HEALTH ANNUAL STATEMENT OR THE FRATERNAL ANNUAL STATEMENT.]

SECTION 3. TITLE 40 IS AMENDED BY ADDING A SECTION TO READ:

§ 7143. ADOPTION OF EXEMPTION STANDARDS OF NAIC VALUATION

MANUAL.

(A) FINDINGS AND DECLARATIONS.--THE GENERAL ASSEMBLY FINDS

AND DECLARES THAT THE WORK OF NAIC AND THE PARTICIPATION OF THE

COMMISSIONER IN NAIC ARE ESSENTIAL TO THE GENERAL IMPLEMENTATION

OF THIS CHAPTER.

(B) STANDARDS.--TO EFFECTUATE THE DECISION AS TO WHETHER TO

EXEMPT CERTAIN POLICIES, CERTIFICATES OR PRODUCTS OF A

PARTICULAR COMPANY FROM CERTAIN PROVISIONS OF THE NAIC VALUATION

MANUAL, THE COMMISSIONER SHALL DETERMINE, ON AN ANNUAL BASIS,

WHETHER TO ADOPT THE STANDARDS FOR EXEMPTION SPECIFIED IN THE

MOST RECENT VERSION OF THE NAIC VALUATION MANUAL BY SUBMITTING A

STATEMENT OF POLICY TO THE LEGISLATIVE REFERENCE BUREAU FOR

PUBLICATION IN THE PENNSYLVANIA BULLETIN.

SUBSECTION (B) SHALL BE EXEMPT FROM THE FOLLOWING:

(1) SECTION 205 OF THE ACT OF JULY 31, 1968 (P.L.769,

NO.240), REFERRED TO AS THE COMMONWEALTH DOCUMENTS LAW.

(2) SECTION 204(B) AND 301(10) OF THE ACT OF OCTOBER 15,

1980 (P.L.950, NO.164), KNOWN AS THE COMMONWEALTH ATTORNEYS

ACT.

(3) THE ACT OF JUNE 25, 1982 (P.L.633, NO.181), KNOWN AS

THE REGULATORY REVIEW ACT.

(D) CONSTRUCTION.--NOTHING IN THIS SECTION SHALL AFFECT ANY

OTHER PROVISION IN THIS CHAPTER OR APPLY TO ANY ACTION TAKEN BY

THE DEPARTMENT PRIOR TO THE EFFECTIVE DATE OF THIS SECTION.

SECTION 4. THIS ACT SHALL TAKE EFFECT AS FOLLOWS:

(1) THE ADDITION OF 40 PA.C.S. CH. 45 SHALL TAKE EFFECT

20220HB2499PN3448 - 30 -

IN 180 DAYS.

(2) THE REMAINDER OF THIS ACT SHALL TAKE EFFECT

IMMEDIATELY.

20220HB2499PN3448 - 31 -