Delaware’s Department of Insurance has reissued a key bulletin about the Delaware Insurance Data Security Act, reminding insurers and related businesses of important rules they must follow to protect consumers’ private information. The update, released on February 13, 2026, reinforces compliance deadlines and outlines specific responsibilities for those in the insurance industry operating within the state.
The bulletin, known as Universally Applicable Bulletin No. 5, highlights that all licensed entities—except for some out-of-state insurers meeting certain exceptions—must have information security programs in place. These programs are designed to stop data breaches and must have been implemented by August 1, 2020. Oversight of third-party service providers also became mandatory by August 1, 2021.
If a cybersecurity event happens, companies must investigate to find out what data might have been exposed. They need to report any confirmed breach to the Delaware Department of Insurance within three business days. After that, they must notify affected customers within 60 days and provide those customers with one year of free credit monitoring services.
Delaware Insurance Commissioner Trinidad Navarro emphasized these points to make sure everyone understands their duties under the Act, which is found in 18 Del. C. Chapter 86. The bulletin also cancels a previous notice about data breach notifications, as those rules are now fully covered by the Act. However, insurers are still encouraged to use closed-faced envelopes when mailing sensitive information to consumers.
For those reporting a data breach or cybersecurity issue, notices must be sent to a specific email address reserved for this purpose. Reports should include details such as when the event was discovered, when it occurred, what kind of data was involved, how many Delaware policyholders were affected, and copies of any notifications sent to consumers.
Delaware-based insurers also have to submit an annual certification confirming they comply with the Act. This written statement, along with a signed affidavit provided by the Department of Insurance, must be sent by February 15 each year. Some smaller companies and those regulated under HIPAA, as well as certain employees or agents covered by another licensee’s security program, may be exempt from these requirements.
This move strengthens Delaware’s commitment to safeguarding personal information in the insurance industry. It also underscores the importance of quick, transparent responses when data breaches happen, helping to protect consumers from potential harm.