RI| The Rhode Island Insurance Bulletin 2025-1 outlines the implementation of the new Insurance Data Security Statute, effective January 1, 2025, which aligns with the NAIC Insurance Data Security Model and applies to both domestic and foreign insurers operating in Rhode Island. Domestic insurers must file an annual certification of compliance by April 15, while foreign insurers must maintain an information security program appropriate to their size and complexity but are not required to file this certification.
The bulletin also clarifies breach notification requirements, emphasizing the need for timely reporting of cybersecurity events impacting more than 50 Rhode Island consumers and specifying the minimum public information that must be disclosed in such notifications.
Main Points:
- Domestic insurers must annually certify compliance with Rhode Island’s new insurance data security law, while foreign insurers must maintain appropriate security programs but are exempt from the certification filing.
- Breach notifications are required for cybersecurity events affecting over 50 Rhode Island consumers, and public disclosures must include the insurer’s name, breach timing, number of impacted consumers, type of information breached, and involvement of third-party providers.
- The statute’s requirements are flexible, allowing insurers to tailor their security programs based on their size and complexity, and compliance with similar laws in other states is generally sufficient for Rhode Island.