Bill > SB385

This bill enacts the Insurance Data Security Act, which establishes comprehensive data security requirements for insurance companies (licensees) in Missouri. The legislation mandates that insurance companies develop and maintain a written information security program designed to protect nonpublic consumer information, including implementing administrative, technical, and physical safeguards to prevent unauthorized access, cyber threats, and data breaches. Key provisions include requiring licensees to conduct risk assessments, designate personnel responsible for information security, implement access controls and encryption, develop incident response plans, and provide annual certification of compliance to the state director of commerce and insurance. The bill defines specific terms like "cybersecurity event" and "nonpublic information" and outlines notification requirements if a data breach occurs, mandating that companies report significant cybersecurity events to the state within three business days. The law applies to most insurance companies, with some exemptions for smaller businesses and those already governed by similar federal healthcare privacy regulations. Notably, the bill does not create a private right of action for consumers but provides the state insurance director with enforcement authority. Insurance companies will have until January 1, 2027, to implement most provisions, with full implementation required by January 1, 2028.

Business and Industry

https://www.senate.mo.gov/25info/BTS_Web/Bill.aspx?SessionType=R&BillID=170