Sec. 23. (a) In the case of a cybersecurity event:
(1) that involves nonpublic information:
(A) that is in the possession, custody, or control of a licensee that is an insurer or its third party service provider; and
(B) for which a consumer accessed the insurer's services through an independent insurance producer; and
(2) for which consumer notice is required by IC 24-4.9;
the insurer shall notify the producers of record of all affected consumers of the cybersecurity event not later than the time at which notice is provided to the affected consumers.
(b) The insurer is excused from the obligation set forth in subsection (a):
(1) for any producers who are not authorized by law or contract to sell, solicit, or negotiate on behalf of the insurer; and
(2) in those instances in which the insurer does not have the current producer of record information for an individual consumer.
As added by P.L.130-2020, SEC.10.
Structure Indiana Code
Article 2. Powers and Duties of Insurers
Chapter 27. Insurance Data Security
27-2-27-1. Applicability of Chapter
27-2-27-2. "Authorized Individual"
27-2-27-5. "Cybersecurity Event"
27-2-27-8. "Information Security Program"
27-2-27-9. "Information System"
27-2-27-11. "Multi-Factor Authentication"
27-2-27-12. "Nonpublic Information"
27-2-27-13. "Publicly Available Information"
27-2-27-15. "Third Party Service Provider"
27-2-27-16. Information Security Program; Requirements
27-2-27-17. Risk Assessment; Requirements
27-2-27-18. Actions Required Based on Risk Assessment Results
27-2-27-19. Board of Directors; Executive Management
27-2-27-20. Incident Response Plan
27-2-27-21. Investigation of Cybersecurity Event
27-2-27-22. Notice to Ceding Insurers and Commissioner of Cybersecurity Event
27-2-27-23. Notice to Producers of Cybersecurity Event
27-2-27-24. Powers of Commissioner
27-2-27-26. Exemptions From Chapter
27-2-27-27. Suspension; Revocation
27-2-27-29. Private Right of Action