Section 21.23.280 - [Effective 1/1/2025] Notification of cybersecurity event(a) Unless a federal law enforcement official instructs the licensee not to distribute information regarding a cybersecurity event, a licensee shall notify the director as soon as possible and not later than three business days after the licensee determines that a cybersecurity event has occurred, if (1) the licensee is an insurer and domiciled in this state;(2) the licensee is an insurance producer and this state is the licensee's home state as defined in AS 21.27.990; or(3) the licensee reasonably believes that the cybersecurity event involves the nonpublic information of 250 or more consumers residing in this state and the cybersecurity event(A) affects the licensee, and a state or federal law requires the licensee to provide notice of the cybersecurity event to a government agency; or(B) has a reasonable likelihood of materially harming a consumer residing in this state or a material part of the normal operation of the licensee.(b) To the greatest extent possible and in a form and format prescribed by the director, the notification to the director under (a) of this section must include the following information:(1) the date of the cybersecurity event;(2) a description of how nonpublic information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;(3) an explanation of how the cybersecurity event was discovered;(4) whether the lost, stolen, or breached nonpublic information has been recovered and, if so, how the nonpublic information was recovered;(5) the identity of the source of the cybersecurity event;(6) whether the licensee has filed a police report, or has notified a regulatory, government, or law enforcement agency about the cybersecurity event and, if so, the time and date that the licensee notified the agency;(7) a description of the specific types of information acquired without authorization, such as medical information, financial information, or information allowing identification of the consumer;(8) the period during which the information system was compromised by the cybersecurity event;(9) the number of total consumers in this state affected by the cybersecurity event; the licensee shall provide the licensee's best estimate in the licensee's initial notification to the director under (a) of this section, and shall update the estimate with each subsequent notification to the director under (c) of this section;(10) the results of an internal review identifying a lapse in either the licensee's automated controls or internal procedures or confirming that the licensee followed all automated controls or internal procedures;(11) a description of efforts the licensee is taking or has taken to remediate the situation that permitted the cybersecurity event to occur;(12) a copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and(13) the name of a contact person who is familiar with the cybersecurity event and authorized to act on behalf of the licensee.(c) After a licensee provides notice of a cybersecurity event to the director under (a) of this section, the licensee shall, in a form, format, and frequency prescribed by the director, update and supplement the information provided under (b) of this section.(d) In addition to the requirements of this section, a licensee shall comply with all applicable provisions of AS 45.48 (Alaska Personal Information Protection Act). If a licensee is required to notify the director of a cybersecurity event under (a) of this section and is also required to provide notice under AS 45.48, the licensee shall provide to the director a copy of the notice sent to consumers under AS 45.48.(e) Unless a third-party service provider of a licensee notifies the director, if the licensee becomes aware of a cybersecurity event that affects an information system maintained by the third-party service provider, the licensee shall comply with the requirements of this section to the greatest extent possible. For purposes of this subsection, the time prescribed in (a) of this section begins the day after the third-party service provider notifies the licensee of the cybersecurity event or the day after the date the licensee has actual knowledge of the cybersecurity event, whichever is earlier.(f) A licensee acting as an assuming insurer that determines that a cybersecurity event has occurred shall, not later than three business days after the determination, notify the licensee's affected ceding insurers and the insurance supervisory official of the licensee's state of domicile if (1) the cybersecurity event involves nonpublic information and the nonpublic information is information used by or in the possession or control of the licensee acting as an assuming insurer; and(2) the licensee does not have a direct contractual relationship with a consumer affected by the cybersecurity event.(g) A licensee acting as an assuming insurer that receives notification from the licensee's third-party service provider that a cybersecurity event has occurred shall, not later than three business days after receiving notification, notify the licensee's affected ceding insurers and the insurance supervisory official of the licensee's state of domicile if the cybersecurity event involves nonpublic information and the nonpublic information is in the possession or control of the third-party service provider.(h) Except as provided in (f) and (g) of this section, a licensee acting as an assuming insurer does not have other notice obligations relating to a cybersecurity event under this section.(i) A licensee that is an insurer and that becomes aware that a cybersecurity event involving nonpublic information has occurred shall, as soon as possible and in a form and format prescribed by the director, notify each independent insurance producer of record of a consumer affected by the cybersecurity event if (1) the nonpublic information is in the possession or control of the licensee or the licensee's third-party service provider;(2) the consumer accessed the insurer's services through the producer; and(3) the insurer has the current producer of record information for the consumer.(j) An insurer shall notify an insurance producer of a cybersecurity event involving nonpublic information, not later than the date the notice is provided to the affected consumers, if(1) the nonpublic information is in the possession or control of a licensee that is an insurer or the licensee's third-party service provider;(2) the consumer accessed the insurer's services through an insurance producer; and(3) the insurer is required to notify affected consumers under AS 21.23.240 - 21.23.399 or AS 45.48.(k) An insurer is exempt from notifying an insurance producer under (j) of this section if(1) the producer is not authorized by law or contract to sell, solicit, or negotiate on behalf of the insurer; or(2) the insurer does not have the current producer information for an affected consumer.Added by SLA 2024, ch. 39,sec. 1, eff. 1/1/2025.