2020 Delaware Code
Title 18 - Insurance Code
Chapter 86. Insurance Data Security Act
§ 8603 Definitions.
As used in this chapter:
(1) “Authorized individual” means an individual to whom a licensee gave authorization to access and use nonpublic information that the licensee and the licensee's information system holds.
(2) “Commissioner” means the Insurance Commissioner of the State of Delaware.
(3) “Consumer” means an individual, including an applicant, policyholder, insured, beneficiary, claimant, and certificate holder, who is a resident of this State and whose nonpublic information is in a licensee's possession, custody, or control.
(4) “Cybersecurity event” means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system. “Cybersecurity event” does not include either of the following:
a. The unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization.
b. An event for which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
(5) “Department” means the Department of Insurance.
(6) “Encrypted” means the transformation of data into a form which results in a low probability of assigning meaning without the use of a protective process or key.
(7) “Information security program” means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.
(8) “Information system” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, and a specialized system such as an industrial or process controls system, telephone switching and private branch exchange system, or environmental control system.
(9) “Insurer” includes an insurer, health service corporation, managed care organization, or health maintenance organization licensed under this title.
(10) “Licensee” means a person who is licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered, under the insurance laws of this State. “Licensee” does not mean either of the following:
a. A purchasing group or risk retention group that is chartered and licensed in a state other than this State.
b. A licensee that is acting as an assuming insurer that is domiciled in a state other than this State or another jurisdiction.
(11) “Multi-factor authentication” means authentication through verification of at least 2 of the following types of authentication factors:
a. Knowledge factors, such as a password.
b. Possession factors, such as a token or text message on a mobile phone.
c. Inherence factors, such as a biometric characteristic.
(12) “Nonpublic information” means electronic information that is not publicly-available information and is at least 1 of the following:
a. Information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with any 1 or more of the following data elements:
1. Social Security number.
2. Driver's license number or nondriver identification card number.
3. Financial account number or credit or debit card number.
4. A security code, access code, or password that would permit access to a consumer's financial account.
5. A biometric record.
b. Information or data, except age or gender, in any form or medium created by or derived from a health-care provider or consumer that can be used to identify a consumer and relates to any of the following:
1. The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of a consumer's family.
2. The provision of health care to a consumer.
3. Payment for the provision of health care to a consumer.
(13) “Notice”, for purposes of the consumer notice required under § 8606(c) of this title, means any of the following:
a. Written notice.
b. Telephonic notice.
c. Electronic notice, if the notice provided is consistent with the provisions regarding electronic signatures and records under 15 U.S.C. § 7001 or if the licensee's primary means of communication with the consumer is by electronic means.
1. Substitute notice, if any of the following apply:
A. The licensee who is required to provide notice under this chapter demonstrates that the cost of providing notice will exceed $75,000.
B. The affected number of consumers to be notified exceeds 100,000.
C. The licensee does not have sufficient contact information to provide notice.
2. “Substitute notice” means all of the following:
A. Electronic notice, if the licensee has an email address for the affected consumer.
B. Conspicuous posting of the notice on the licensee's website page, if the licensee maintains 1 or more website pages.
C. Notice to major statewide media, including newspapers, radio, and television.
D. Publication on the major social media platforms of the licensee who is providing notice.
(14) “Person” means as defined in § 102 of this title.
(15) a. “Publicly-available information” means information that a licensee has a reasonable basis to believe is lawfully made available to the general public, including any of the following:
1. A federal, state, or local government record.
2. A widely-distributed information source or media.
3. A disclosure to the general public that is required under federal, state, or local law.
b. For purposes of this definition, “reasonable basis to believe that information is lawfully made available to the general public” means a licensee has taken steps and determined all of the following:
1. That the information is of the type that is available to the general public.
2. If a consumer can direct that the information may not be made available to the general public, the consumer has not done so.
(16) “Risk assessment” means the action that a licensee is required to take under § 8604(c) of this title.
(17) “State”, if capitalized, means the State of Delaware.
(18) “Third-party service provider” means a person who is not a licensee and who contracts with a licensee to maintain, process, store, or otherwise is permitted access to nonpublic information through the person's provision of services to the licensee.