On Aug. 29, 2019, the Maryland Insurance Administration (MIA) issued Bulletin 19-14. The purpose of the bulletin is to inform insurers, nonprofit health service plans, health maintenance organizations, managed care organizations, managed general agents and third-party administrators of a new security breach reporting requirement to the Compliance & Enforcement Unit at the MIA.

Effective Oct. 1, 2019, pursuant to Insurance Article § 4-406, carriers are required to notify the insurance commissioner of a breach of the security of a system if the carrier (1) conducts an investigation required under § 14-3504(b) or (c) of the Commercial Law Article; and (2) determines that the breach of security of the system creates a likelihood that personal information has been or will be misused. The notice needs to be provided at the same time that the Maryland attorney general is notified pursuant to § 14-3504(h) of the Commercial Law Article.

The notice to the commissioner must include (1) a brief description of the circumstances of the security breach, (2) a copy of any notifications sent to consumers and (3) a copy of the notice submitted to the Maryland attorney general. The MIA has created an online form that can be used to submit the notice.

The MIA has thus joined a growing number of insurance departments that have issued bulletins, guidance or regulations on reporting security breaches. See our previous blog posts here and here.