logoLOUISIANA
DEPARTMENTOF
INSURANCE
Industry Access

Office Directory

Online Services

News/Media

FAQs

phone   Contact Us

Louisiana Department of Insurance

1-800-259-5300

(225) 342-5900

Email Us

Report A Cybersecurity Event

Each licensee, under certain circumstances, shall notify the commissioner within three business days after a determination of the occurrence of a cybersecurity event. The Insurance Data Security Law (Act 283 of the 2020 Regular Session) defines both “licensee” and “cybersecurity event” and creates the reporting requirement.

Generally, a “licensee” is a person or entity regulated by the commissioner of insurance, and a “cybersecurity event” involves the loss of electronic nonpublic information belonging to consumers and in the possession of licensees or the compromise of the information system of a licensee.


Reporting Flowchart

The Reporting a Cybersecurity Event Flowchart is meant only to be a guide for licensees, who are responsible for understanding and complying with the provisions of La. R.S. 22:2506, which governs notification to the commissioner and to consumers.


Notification Process

If, after a prompt investigation, a licensee determines both a cybersecurity event has occurred and a report is required, the licensee shall notify the commissioner without unreasonable delay but in no event later than three business days. When in doubt as to whether to notify the commissioner through the LDI, all licensees are encouraged to report the cybersecurity event and begin a dialogue with LDI staff as soon as possible.

Licensees will notify the commissioner and LDI using the Cybersecurity Reporting Module in the Industry Access Portal, https://ia.ldi.state.la.us/industryaccess.


Supplemental Information

Not all information may be available at the time of the initial report to the LDI. Licensees have a continuing obligation to update and supplement their initial and subsequent reports about material developments relating to the cybersecurity event as provided in La. R.S. 22:2506. Updates and supplemental information should be submitted to [email protected].


Louisiana Insurance Data Security Law Information Security Program

 
Pursuant to Bulletin 2021-04, all licensees of the Louisiana Department of Insurance, as that term is defined in La. R.S. 22:2503(7), are now required to develop, implement and maintain a comprehensive written information security program (ISP) that complies with the requirements of La. R.S. 22:2054 no later than August 1, 2021. Bulletin 2021-04 also requires the submission of either a certification of compliance with La. R.S. 22:2504 or exemption under La. R.S. 22:2509. Below you will find a link to the bulletin with information on filing dates and requirements, as well as links to both the certification and exemption forms.

Bulletin 2021-04
Louisiana Insurance Data Security Law Information Security Program Certification Form
Louisiana Insurance Data Security Law Information Security Program Exemption Certification Form

If you meet any of the following criteria, it is only necessary to submit the Louisiana Insurance Data Security Law Information Security Program Exemption Certification Form:
  • Have fewer than twenty-five (25) employees.
  • Have less than five million dollars in gross annual revenue.
  • Have less than ten million dollars in year-end total assets.
  • Are a licensee who is also an employee, agent, representative, or designee of another licensee, to the extent that you are covered by the other licensee’s ISP. A single licensed producer employed by an agency will fall under this exemption.
  • Are subject to the Health Insurance Portability and Accountability Act (HIPAA), establish and maintain an information security program (ISP) pursuant to HIPAA statutes, rules, regulations, procedures, or guidelines, AND comply with and submit, upon request, a written certification of compliance with the ISP established pursuant to HIPAA statutes, rules, regulations, procedures, or guidelines.
  • Are affiliated with a depository institution subject to the Interagency Guidelines Establishing Information Security Standards pursuant to the Gramm-Leach-Bliley Act (Gramm-Leach-Bliley), establish and maintain an information security program (ISP) pursuant to Gramm-Leach-Bliley statutes, rules, regulations, procedures, or guidelines, AND comply with and submit, upon request, a written certification of compliance with the ISP established pursuant to Gramm-Leach-Bliley statutes, rules, regulations, procedures or guidelines.
  • Are subject to a jurisdiction approved by the commissioner, establish and maintain an information security program (ISP) pursuant to that jurisdiction’s statutes, rules, regulations, procedures, or guidelines, AND comply with and submit a written certification of compliance with the ISP established pursuant to Gramm-Leach-Bliley statutes, rules, regulations, procedures, or guidelines.

Annual certification and exemption forms are to be submitted through the Cybersecurity Certification Module in the Industry Access Portal, found at https://ia.ldi.state.la.us/industryaccess/.  
 
Any questions regarding Bulletin 2021-04 or the certification or exemption forms should be submitted to [email protected].
Call Us
  • PRIMARY: (225) 342-5900
  • TOLL_FREE: (800) 259-5300
Address
  • 1702 N. Third Street
    Baton Rouge, LA 70802
Connect With Us
    Connect with Us:
About the LDI
© 2024 Louisiana Department of Insurance. All Rights Reserved.
 
LDI Webmail