On Aug. 29, 2019, the Maryland Insurance Administration (MIA) issued Bulletin 19-14. The purpose of the bulletin is to inform insurers, nonprofit health service plans, health maintenance organizations, managed care organizations, managed general agents and third-party administrators of a new security breach reporting requirement to the Compliance & Enforcement Unit at the MIA.

Effective Oct. 1, 2019, pursuant to Insurance Article § 4-406, carriers are required to notify the insurance commissioner of a breach of the security of a system if the carrier (1) conducts an investigation required under § 14-3504(b) or (c) of the Commercial Law Article; and (2) determines that the breach of security of the system creates a likelihood that personal information has been or will be misused. The notice needs to be provided at the same time that the Maryland attorney general is notified pursuant to § 14-3504(h) of the Commercial Law Article.

The notice to the commissioner must include (1) a brief description of the circumstances of the security breach, (2) a copy of any notifications sent to consumers and (3) a copy of the notice submitted to the Maryland attorney general. The MIA has created an online form that can be used to submit the notice.

The MIA has thus joined a growing number of insurance departments that have issued bulletins, guidance or regulations on reporting security breaches. See our previous blog posts here and here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.