Skip to agency navigation
Skip to main content

Official website

of the Commonwealth of Pennsylvania

    The .gov means it's official.

    Local, state, and federal government websites often end in .gov. Commonwealth of Pennsylvania government websites and email systems use "pennsylvania.gov" or "pa.gov" at the end of the address. Before sharing sensitive or personal information, make sure you're on an official state website. 

    Insurance Data Security

    Act 2 of 2023 requires insurance licensees to take specific actions to safeguard consumers' information.

    Act 2 of 2023

    Act 2 of 2023 (HB 739) requires insurance licensees to take specific actions to safeguard consumers' information, effective December 11, 2023.

    This legislation was derived from model legislation developed by the National Association of Insurance Commissioners, incorporating input from all participating state insurance commissioners, industry stakeholders, and consumer representatives.

    The Act defines the requirements applicable to a licensee and establishes standards for data security, cybersecurity investigations, and notification to the Commissioner of cybersecurity events.

    Key Implementation Dates

    • December 11, 2024: Licensees must have implemented the required elements relating to Risk Assessment, Information Security Program, and Corporate Oversight.
    • December 11, 2025: Licensees must have implemented the additional requirements regarding oversight of third-party service providers that maintain, process, store, or otherwise permit access to non-public information through the provision of services to the licensee. Information related to third-party service providers is located under § 4515 of the Act.
    • No later than April 15, 2026: Each insurer domiciled in this Commonwealth must annually submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements outlined in the Act. Information related to certification is located under § 4516 of the Act.
    Submit an Annual Certification Form to the Commissioner

    When Must a Cybersecurity Event Notification Be Submitted?

    A "cybersecurity event" is an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on the information system.

    The term does not include: 

    • The unauthorized acquisition of encrypted nonpublic information if the encryption, process or key is not also acquired, released, or used without authorization. 
    • An event where the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.  

    This Act requires, among other things, that a licensee investigate a cybersecurity event and notify the Commissioner as promptly as possible, but no later than five business days after determining that a cybersecurity event has occurred when certain criteria are met.

    If a cybersecurity event is not reported within 5 business days, the licensee could face additional Department oversight, examinations, or even loss of license. 

    View Reporting Requirements and Submit a Notification

    Cybersecurity Event Examples

    Below are common examples of cybersecurity events that would require a licensee to notify the Department. These breach examples include, but are not limited to:

    • Theft  
    • Phishing  
    • Hacking   
    • Stolen/Lost Equipment  
    • DNS/Ransomware   
    • Improper Disclosure  
    • Improper Disposal  
    • Lost During Move  
    • Unauthorized Access  
    • Compromised Computer/Equipment  

    It is important to note that this list is not exhaustive and other circumstances not included on the list above may qualify as a cybersecurity event and require the commissioner's notification. If you are unsure or have questions, please reach out via email to RA-INdatasecurity@pa.gov.

    Notable Definitions Under the Act

    The Act draws a distinction between “insurers” and “licensees.” This distinction is most notable in section 4516 of the Act, which requires insurers domiciled in the Commonwealth to submit annual compliance certifications to the Department beginning in April 2026.

    The Act defines an "insurer" as...

    • An insurance company, association, or exchange
    • An interinsurance exchange
    • A health maintenance organization
    • A preferred provider organization
    • A professional health services plan corporation subject to Chapter 63 (relating to professional health services plan corporations)
    • A hospital plan corporation subject to Chapter 61 (relating to hospital plan corporations)
    • A fraternal benefit society or beneficial association
    • A Lloyd's insurer
    • A health plan corporation

    The Act defines a "licensee" as a person that is or is required to be licensed, authorized to operate or registered under the insurance laws of this Commonwealth.

    This term does not include:

    • A purchasing group or risk retention group, as defined in section 1502 of the act of May 17, 1921 (P.L.682, No.284), known as The Insurance Company Law of 1921, that is chartered and licensed in a state other than this Commonwealth.
    • A person that is acting as an assuming insurer that is domiciled in another state or jurisdiction. 

    Questions?

    Questions concerning the Act or a Cybersecurity event notification can be sent to RA-INdatasecurity@pa.gov.