Tennessee insurance consumers gained new protections for their personal, medical and financial information with the signing of the Insurance Data Security Law. This law took effect July 1, 2021.
The law modernizes, defines and toughens existing security measures that Tennessee insurance carriers must take to protect consumer information. Under the new law, insurance carriers must:
- Identify internal or external threats that could result in unauthorized access, transmission, disclosure, misuse or destruction of consumers’ private information.
- Develop, implement and maintain an information security program based on its individual risk assessment with a designated employee in charge of the information security program.
- Investigate any cybersecurity breach and notify the Insurance Commissioner of a cybersecurity event if the licensee is a domiciled insurer or if more than 250 Tennesseans are impacted.
Report a Cyber Security Event
A licensee must notify the Insurance Commissioner of a cyber security event in accordance with Tennessee Code Annotated, Title 56, Chapter 2.
To report a new cyber security event or update an existing cyber security event, please select the following link: https://www.tn.gov/commerce/insurance/company-resources/cybersecurity/report.html
Compliance (Self) Certification
Each insurer domiciled in Tennessee who does not qualify for an exemption must annually, on or before April 15th, submit a written statement to the Commissioner of the Department of Commerce and Insurance certifying that the insurer is in compliance with the Insurance Data Security Law.
Exceptions to the Insurance Data Security Law
A licensee or employees, agents, representatives, or designees of a licensee, may be exempted from the required compliance certification pursuant to the Insurance Data Security Law if they meet any of the following criteria:
- Employs fewer than twenty-five (25) individuals, regardless of whether the individuals are employees or independent contractors.
- Has less than five million dollars ($5,000,000) in gross annual revenue.
- Has less than ten million dollars ($10,000,000) in year-end total assets.
- Subject to and governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 CFR Parts 160 and 164, established pursuant to the federal Health Insurance Portability and Accountability Act (“HIPPA”) of 1996 (42 U.S.C. § 1320d et seq.), and the federal Health Information Technology for Economic and Clinical Health (“HITECH”) Act (42 U.S.C. § 300jj et seq. and 42 U.S.C. § 17901 et seq.). To be eligible for this exemption, the Company must (1) maintain nonpublic information in the same manner as protected health information as outlined in Tenn. Code Ann. §§ 56-2-1004 and 56-2-1006(c); and (2) be compliant with, and, prior to or contemporaneous with this form, submit a written statement to the Department certifying its compliance with HIPPA and HITECH Act.
- Subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 (15 U.S.C. §§ 6801-6809 and 6821-6827) and meets the requirements of Tenn. Code Ann. § 56- 2-1006(c). To be eligible for this exemption, the Company must, prior to or contemporaneous with this form, submit a written statement to the Department certifying its compliance with Title V of the federal Gramm-Leach-Bliley Act of 1999.
In order to validate the exception qualification, a written Exemption Certification form must be completed and returned to the Insurance Division. The Exemption Certification form can be accessed here.
If a licensee does not meet any of the exception criteria, they must complete a Compliance Certification form.