Delaware Code Title 18 Sec. 8605 – Investigation of a cybersecurity event
(a) If a licensee learns that a cybersecurity event has or may have occurred, the licensee, or an outside vendor or service provider designated to act on behalf of the licensee, shall conduct a prompt investigation.
Terms Used In Delaware Code Title 18 Sec. 8605
- Commissioner: means the Insurance Commissioner of the State of Delaware. See Delaware Code Title 18 Sec. 8603
- Cybersecurity event: means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system. See Delaware Code Title 18 Sec. 8603
- Information system: means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, and a specialized system such as an industrial or process controls system, telephone switching and private branch exchange system, or environmental control system. See Delaware Code Title 18 Sec. 8603
- Licensee: means a person who is licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered, under the insurance laws of this State. See Delaware Code Title 18 Sec. 8603
- Nonpublic information: means electronic information that is not publicly-available information and is at least 1 of the following:
- Third-party service provider: means a person who is not a licensee and who contracts with a licensee to maintain, process, store, or otherwise is permitted access to nonpublic information through the person's provision of services to the licensee. See Delaware Code Title 18 Sec. 8603
(b) During an investigation under this section, the licensee, or an outside vendor or service provider designated to act on behalf of the licensee, shall, at a minimum, do as much of the following as possible:
(1) Determine whether a cybersecurity event has occurred.
(2) Assess the nature and scope of the cybersecurity event.
(3) Identify the nonpublic information that may have been involved in the cybersecurity event.
(4) Perform or oversee reasonable measures to restore the security of the information system compromised in the cybersecurity event to prevent further unauthorized acquisition, release, or use of nonpublic information that is in the licensee’s possession, custody, or control.
(c) If a licensee provides nonpublic information to a third-party service provider and learns that a cybersecurity event has or may have occurred in a system that the third-party service provider maintains, the licensee shall complete the steps listed in subsection (b) of this section or make reasonable efforts to confirm and document that the third-party service provider has completed the steps.
(d) A licensee shall maintain records concerning a cybersecurity event for a period of at least 5 years from the date of the cybersecurity event and shall produce those records upon the Commissioner‘s demand.