The Delaware Department of Insurance (“Department”) has recently reissued Universally Applicable Bulletin No. 5 regarding the Delaware Insurance Data Security Act requirements, applicable to anyone engaged in the business of insurance in Delaware. The key highlights are as follows:
- Licensees are required to notify the Department within three (3) business days of determining that a cybersecurity event has occurred, notify all impacted consumers within sixty (60) days of the determination that their data has or may have been compromised, and offer free credit monitoring services for one year to consumers impacted by breaches.
- Licensees who are subject to the Act should submit the required data breach/cyber security event notification to the Department’s email, doidatasecurity@delaware.gov. The notice should include the following information:
- Date the breach was discovered;
- Date the breach occurred;
- Description of how the breach occurred;
- What information was breached (or as soon as determined);
- How many Delaware policyholders may be affected (or as soon as determined);
- A list of the Delaware policyholders (or as soon as determined); and
- A copy of the notification being sent to affected policyholders.
- An insurer domiciled in this State who is subject to the Act shall annually submit the following to the Commissioner at doidatasecurity@delaware.gov, no later than February 15:
- A written statement, certifying that the insurer is in compliance with the requirements of the Act; and
- The following affidavit: data-security-act-affidavit-form-nwm.pdf.
- Note: This affidavit is only applicable to insurers and not all DE licensees.
Please note that this bulletin became effective upon reissuance on February 12, 2026.
For any questions related to the above referenced bulletin in Delaware, please contact Westmont Associates!