Report A Cybersecurity Event
Each licensee, under certain circumstances, shall notify the commissioner within three business days after a determination of the occurrence of a cybersecurity event. The Insurance Data Security Law (Act 283 of the 2020 Regular Session) defines both “licensee” and “cybersecurity event” and creates the reporting requirement.
Generally, a “licensee” is a person or entity regulated by the commissioner of insurance, and a “cybersecurity event” involves the loss of electronic nonpublic information belonging to consumers and in the possession of licensees or the compromise of the information system of a licensee.
Reporting Flowchart
The Reporting a Cybersecurity Event Flowchart is meant only to be a guide for licensees, who are responsible for understanding and complying with the provisions of La. R.S. 22:2506, which governs notification to the commissioner and to consumers.
Notification Process
If, after a prompt investigation, a licensee determines both a cybersecurity event has occurred and a report is required, the licensee shall notify the commissioner without unreasonable delay but in no event later than three business days. When in doubt as to whether to notify the commissioner through the LDI, all licensees are encouraged to report the cybersecurity event and begin a dialogue with LDI staff as soon as possible.
Licensees will notify the commissioner and LDI using the Report a Cybersecurity Event Form, which provides a guide to the information required by the commissioner including additional documentation.
The Report a Cybersecurity Event Form and attachments should be submitted to the following email: Cyber.Report@ldi.la.gov.
Supplemental Information
Not all information may be available at the time of the initial report to the LDI. Licensees have a continuing obligation to update and supplement their initial and subsequent reports about material developments relating to the cybersecurity event as provided in La. R.S. 22:2506.