Trinidad Navarro, the insurance commissioner in Delaware, United States, has reissued a critical regulatory bulletin reminding insurance entities of their strict obligations under the Delaware Insurance Data Security Act. The move underscores a looming February 15, 2026 deadline for firms to certify their compliance with state cybersecurity standards.

Originally established in 2019, the Act mandates that insurance licensees operating in Delaware maintain robust information security programs designed to shield consumers’ private data from cyberattacks.

Key consumer protections and mandates

Under the law, insurance providers must adhere to a rigorous protocol if a data breach occurs:

  • Rapid Notification: Companies must notify the Delaware Department of Insurance within three business days of confirming a cybersecurity event.
  • Consumer Alerts: Impacted residents must be informed within 60 days if their personal data has been compromised.
  • Credit Monitoring: In the event of a breach, insurers are required to provide one year of free credit monitoring to those affected.
  • Mandatory Investigations: Firms are legally obligated to conduct thorough investigations to determine the scope of any data theft.

Annual certification and enforcement

All insurers domiciled in Delaware are required to submit a written statement of compliance and a signed affidavit by February 15 each year. These filings must be sent to the department’s dedicated security email.

Commissioner Navarro’s updated bulletin (Universally Applicable Bulletin No. 5) also officially rescinds older notification guidelines, as they have been superseded by the current Act. The Commissioner maintains the authority to investigate any insurer suspected of violating these security standards.

Small businesses and specific entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) may be exempt from certain filing requirements, though the overarching security expectations remain in effect to protect Delaware policyholders.

The HIPAA was signed into law by Bill Clinton on August 21, 1996. He served as the U.S. president from January 20, 1993 to January 20, 2001.

Unknown's avatar

Published by Kiyoshi Motohiko

A business and technology enthusiast, I am curious about how societies pick which brands to include in their history as a generational group.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.