Alaska State Legislature

Home
Bill & Laws
Bills
CSHB 324(L&C) Detail
FullText

txt

CSHB 324(L&C): "An Act relating to insurance data security; amending Rule 26, Alaska Rules of Civil Procedure, and Rules 402 and 501, Alaska Rules of Evidence; and providing for an effective date."

00 CS FOR HOUSE BILL NO. 324(L&C) 01 "An Act relating to insurance data security; amending Rule 26, Alaska Rules of Civil 02 Procedure, and Rules 402 and 501, Alaska Rules of Evidence; and providing for an 03 effective date." 04 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 05 * Section 1. AS 21.23 is amended by adding new sections to read: 06 Article 2. Insurance Data Security. 07 Sec. 21.23.240. Purpose and construction. (a) AS 21.23.240 - 21.23.399 08 establish the exclusive state standard for data security for licensees and govern the 09 investigation and notification of a cybersecurity event. 10 (b) AS 21.23.240 - 21.23.399 may not be construed to 11 (1) create or imply a private cause of action for violation of 12 AS 21.23.240 - 21.23.399; or 13 (2) prevent a private cause of action that would otherwise exist in the 14 absence of AS 21.23.240 - 21.23.399.

01 Sec. 21.23.250. Risk assessment. (a) A licensee shall conduct a risk 02 assessment commensurate with the size and complexity of the licensee and in 03 consideration of the nature and scope of the licensee's activities to evaluate the 04 security and confidentiality of nonpublic information used by or in the possession or 05 control of the licensee. In conducting the risk assessment, the licensee shall 06 (1) identify reasonably foreseeable internal or external threats in each 07 area of the licensee's operations that could result in unauthorized access, transmission, 08 disclosure, misuse, alteration, or destruction of nonpublic information, including the 09 security of information systems and nonpublic information that are accessible to, or 10 held by, third-party service providers; 11 (2) assess the likelihood and potential damage of the threats identified 12 in (1) of this subsection, taking into consideration the sensitivity of nonpublic 13 information; and 14 (3) assess the sufficiency in each area of the licensee's operations of 15 the licensee's policies, procedures, information systems, and other safeguards in place 16 to manage the threats identified in (1) of this subsection, including the areas of 17 (A) employee training and management; 18 (B) network and software design, information classification, 19 governance, processing, storage, transmission, and disposal; and 20 (C) detecting, preventing, and responding to attacks or 21 intrusions on information systems and nonpublic information, or other 22 information system failures. 23 (b) A licensee shall use the licensee's risk assessment to design the licensee's 24 information security program required under AS 21.23.260(a). 25 Sec. 21.23.260. Information security program. (a) A licensee shall develop, 26 implement, and maintain a comprehensive written information security program based 27 on the licensee's risk assessment conducted under AS 21.23.250(a). A licensee shall 28 designate one or more employees, an outside vendor, or a third-party service provider 29 to act on behalf of the licensee as the person responsible for the licensee's information 30 security program. 31 (b) A licensee's information security program must

01 (1) contain administrative, technical, and physical safeguards to protect 02 the security and confidentiality of nonpublic information and the security of the 03 licensee's information system; 04 (2) protect against a threat or hazard to the security or integrity of 05 nonpublic information and the information system; 06 (3) protect against unauthorized access to or use of nonpublic 07 information and minimize the likelihood of harm to a consumer; 08 (4) establish and periodically reevaluate a schedule for retention of 09 nonpublic information; and 10 (5) establish and implement a mechanism for the destruction of 11 nonpublic information when the information is no longer needed. 12 (c) In developing, implementing, and maintaining a licensee's information 13 security program, the licensee shall 14 (1) based on the licensee's risk assessment conducted under 15 AS 21.23.250(a), implement the following security measures if the licensee 16 determines that the security measure is appropriate: 17 (A) place and use effective access controls on information 18 systems, including controls to authenticate and permit access only by 19 authorized individuals, to protect against the unauthorized acquisition of 20 nonpublic information; the controls may include multi-factor authentication 21 procedures; 22 (B) identify and manage the data, personnel, devices, 23 information systems, and facilities that enable the organization to achieve its 24 business objectives in accordance with the relative importance of the data, 25 personnel, devices, information systems, and facilities to the organization's 26 business objectives and risk strategy; 27 (C) allow only authorized individuals to access physical 28 locations containing nonpublic information; 29 (D) protect by encryption or other appropriate means nonpublic 30 information transmitted over an external network or stored on a laptop 31 computer or other portable computing or storage device or media;

01 (E) adopt secure development practices for applications used 02 by the licensee that are developed in-house; the licensee shall adopt procedures 03 for testing the security of externally developed applications used by the 04 licensee; 05 (F) modify information systems in accordance with the 06 licensee's information security program; 07 (G) regularly test and monitor information systems and 08 procedures to detect actual and attempted attacks on, or intrusions into, 09 information systems; 10 (H) include audit trails inside the information security program 11 that are designed to detect and respond to cybersecurity events and to 12 reconstruct material financial transactions sufficient to support normal 13 operations and obligations of the licensee; 14 (I) implement measures to protect against destruction, loss, or 15 damage of nonpublic information caused by environmental hazards, including 16 fire and water damage, or other catastrophes or technological failures; and 17 (J) develop, implement, and maintain procedures for the secure 18 disposal of nonpublic information in any format; 19 (2) determine the cybersecurity risks to include in the licensee's risk 20 management process; 21 (3) stay informed of emerging threats or vulnerabilities and, when 22 sharing information, use reasonable security measures in accordance with the 23 character of the sharing and the type of information shared; 24 (4) include cybersecurity risks in the licensee's enterprise risk 25 management process; 26 (5) provide personnel of the licensee with cybersecurity awareness 27 training that is updated as necessary to reflect the risks identified in the risk 28 assessment; 29 (6) implement information safeguards to manage the threats identified 30 in a risk assessment, and, not less than once a year, assess the effectiveness of the key 31 controls, information systems, and procedures of the safeguards;

01 (7) exercise due diligence in selecting a third-party service provider; 02 (8) where appropriate, require a third-party service provider to 03 implement appropriate administrative, technical, and physical measures to protect and 04 secure the information systems and nonpublic information that are accessible to, or 05 held by, the third-party service provider; for purposes of this paragraph, encrypted 06 nonpublic information is not considered accessible to, or held by, the third-party 07 service provider if the associated protective process or key necessary to assign 08 meaning to the nonpublic information is not within the possession of the third-party 09 service provider; 10 (9) monitor, evaluate, and adjust, as appropriate, the information 11 security program consistent with relevant changes in technology, the sensitivity of its 12 nonpublic information, internal or external threats to nonpublic information, and the 13 licensee's own changing business arrangements, including mergers, acquisitions, 14 alliances, joint ventures, outsourcing arrangements, and changes to information 15 systems; and 16 (10) establish a written incident response plan designed to promptly 17 respond to, and recover from, a cybersecurity event that compromises the 18 confidentiality, integrity, or availability of nonpublic information in the licensee's 19 possession, the licensee's information systems, or the continuing functionality of an 20 aspect of the licensee's business or operations; the incident response plan must address 21 the following: 22 (A) the internal process for responding to a cybersecurity 23 event; 24 (B) the goals of the incident response plan; 25 (C) the definition of clear roles, responsibilities, and levels of 26 decision-making authority; 27 (D) the licensee's internal process used for external and internal 28 communication and information sharing; 29 (E) the identification of requirements for the remediation of an 30 identified weakness in information systems and associated controls; 31 (F) the documentation and reporting of cybersecurity events

01 and related incident response activities; and 02 (G) the evaluation and revision as necessary of the incident 03 response plan following a cybersecurity event. 04 (d) A licensee's board of directors or an appropriate committee of the 05 licensee's board of directors shall, at a minimum, require that 06 (1) the licensee's executive management or the executive 07 management's delegate develop, implement, and maintain the licensee's information 08 security program; and 09 (2) at least once a year, the licensee's executive management or the 10 executive management's delegate report to the licensee's board of directors or an 11 appropriate committee of the licensee's board of directors the following in writing: 12 (A) the overall status of the information security program and 13 the licensee's compliance with AS 21.23.240 - 21.23.399; and 14 (B) material matters related to the information security 15 program, including risk assessment, risk management and control decisions, 16 third-party service provider arrangements, results of testing, cybersecurity 17 events or violations, management's responses to the cybersecurity events or 18 violations, and recommendations for changes in the information security 19 program. 20 (e) If a licensee's executive management meets a requirement under (d) of this 21 section through a delegate, the executive management shall oversee the development, 22 implementation, and maintenance of the licensee's information security program 23 prepared by the delegate. The delegate shall provide a report to the executive 24 management that complies with the requirements of (d)(2) of this section. 25 (f) Each licensee who is an insurer domiciled in this state shall 26 (1) submit to the director a written statement by February 15 of each 27 year certifying that the insurer is in compliance with the requirements under 28 AS 21.23.250 and this section; 29 (2) maintain and allow the director to examine for a period of five 30 years after the insurer submits the written statement described in (1) of this subsection 31 all records, schedules, and data supporting the written statement; and

01 (3) provide documentation of any areas, information systems, or 02 processes that the insurer has identified as requiring material improvement, updating, 03 or redesign, and provide documentation of the remedial efforts planned and underway 04 to address the areas, information systems, or processes; the insurer shall make the 05 documentation available for examination by the director at the director's request. 06 (g) In this section, 07 (1) "authorized individual" means an individual known to and screened 08 by the licensee and for whom the licensee has determined access to the nonpublic 09 information held by the licensee and its information systems is appropriate and 10 necessary; 11 (2) "multi-factor authentication" means authentication through 12 verification of at least two of the following types of authentication factors: 13 (A) a knowledge factor, including a password; 14 (B) a possession factor, including a token or text message on a 15 mobile telephone; or 16 (C) an inherence factor, including a biometric characteristic. 17 Sec. 21.23.270. Investigation of cybersecurity event. (a) If a licensee 18 becomes aware that a cybersecurity event has or may have occurred, the licensee or an 19 outside vendor or third-party service provider designated to act on behalf of the 20 licensee shall promptly investigate the cybersecurity event. During the investigation, if 21 the licensee, outside vendor, or third-party service provider determines that a 22 cybersecurity event has occurred, the licensee, outside vendor, or third-party service 23 provider shall, to the extent possible, 24 (1) assess the nature and scope of the cybersecurity event; 25 (2) identify nonpublic information that may have been involved in the 26 cybersecurity event; and 27 (3) perform or oversee reasonable measures to restore the security of 28 the information systems compromised in the cybersecurity event to prevent further 29 unauthorized acquisition, release, or use of nonpublic information in the licensee's 30 possession or control. 31 (b) If a licensee becomes aware that a cybersecurity event has or may have

01 occurred in an information system maintained by a third-party service provider, the 02 licensee shall, to the extent possible, complete the actions described in (a) of this 03 section or confirm and document that the third-party service provider has completed 04 those actions. 05 (c) A licensee shall maintain records concerning all cybersecurity events for a 06 period of at least five years from the date of the cybersecurity event and shall produce 07 the records at the request of the director. 08 Sec. 21.23.280. Notification of cybersecurity event. (a) Unless a federal law 09 enforcement official instructs the licensee not to distribute information regarding a 10 cybersecurity event, a licensee shall notify the director as soon as possible and not 11 later than three business days after the licensee determines that a cybersecurity event 12 has occurred, if 13 (1) the licensee is an insurer and domiciled in this state; 14 (2) the licensee is an insurance producer and this state is the licensee's 15 home state as defined in AS 21.27.990; or 16 (3) the licensee reasonably believes that the cybersecurity event 17 involves the nonpublic information of 250 or more consumers residing in this state and 18 the cybersecurity event 19 (A) affects the licensee, and a state or federal law requires the 20 licensee to provide notice of the cybersecurity event to a government agency; 21 or 22 (B) has a reasonable likelihood of materially harming a 23 consumer residing in this state or a material part of the normal operation of the 24 licensee. 25 (b) To the greatest extent possible and in a form and format prescribed by the 26 director, the notification to the director under (a) of this section must include the 27 following information: 28 (1) the date of the cybersecurity event; 29 (2) a description of how nonpublic information was exposed, lost, 30 stolen, or breached, including the specific roles and responsibilities of third-party 31 service providers, if any;

01 (3) an explanation of how the cybersecurity event was discovered; 02 (4) whether the lost, stolen, or breached nonpublic information has 03 been recovered and, if so, how the nonpublic information was recovered; 04 (5) the identity of the source of the cybersecurity event; 05 (6) whether the licensee has filed a police report, or has notified a 06 regulatory, government, or law enforcement agency about the cybersecurity event and, 07 if so, the time and date that the licensee notified the agency; 08 (7) a description of the specific types of information acquired without 09 authorization, such as medical information, financial information, or information 10 allowing identification of the consumer; 11 (8) the period during which the information system was compromised 12 by the cybersecurity event; 13 (9) the number of total consumers in this state affected by the 14 cybersecurity event; the licensee shall provide the licensee's best estimate in the 15 licensee's initial notification to the director under (a) of this section, and shall update 16 the estimate with each subsequent notification to the director under (c) of this section; 17 (10) the results of an internal review identifying a lapse in either the 18 licensee's automated controls or internal procedures or confirming that the licensee 19 followed all automated controls or internal procedures; 20 (11) a description of efforts the licensee is taking or has taken to 21 remediate the situation that permitted the cybersecurity event to occur; 22 (12) a copy of the licensee's privacy policy and a statement outlining 23 the steps the licensee will take to investigate and notify consumers affected by the 24 cybersecurity event; and 25 (13) the name of a contact person who is familiar with the 26 cybersecurity event and authorized to act on behalf of the licensee. 27 (c) After a licensee provides notice of a cybersecurity event to the director 28 under (a) of this section, the licensee shall, in a form, format, and frequency prescribed 29 by the director, update and supplement the information provided under (b) of this 30 section. 31 (d) In addition to the requirements of this section, a licensee shall comply with

01 all applicable provisions of AS 45.48 (Alaska Personal Information Protection Act). If 02 a licensee is required to notify the director of a cybersecurity event under (a) of this 03 section and is also required to provide notice under AS 45.48, the licensee shall 04 provide to the director a copy of the notice sent to consumers under AS 45.48. 05 (e) Unless a third-party service provider of a licensee notifies the director, if 06 the licensee becomes aware of a cybersecurity event that affects an information system 07 maintained by the third-party service provider, the licensee shall comply with the 08 requirements of this section to the greatest extent possible. For purposes of this 09 subsection, the time prescribed in (a) of this section begins the day after the third-party 10 service provider notifies the licensee of the cybersecurity event or the day after the 11 date the licensee has actual knowledge of the cybersecurity event, whichever is earlier. 12 (f) A licensee acting as an assuming insurer that determines that a 13 cybersecurity event has occurred shall, not later than three business days after the 14 determination, notify the licensee's affected ceding insurers and the insurance 15 supervisory official of the licensee's state of domicile if 16 (1) the cybersecurity event involves nonpublic information and the 17 nonpublic information is information used by or in the possession or control of the 18 licensee acting as an assuming insurer; and 19 (2) the licensee does not have a direct contractual relationship with a 20 consumer affected by the cybersecurity event. 21 (g) A licensee acting as an assuming insurer that receives notification from the 22 licensee's third-party service provider that a cybersecurity event has occurred shall, not 23 later than three business days after receiving notification, notify the licensee's affected 24 ceding insurers and the insurance supervisory official of the licensee's state of 25 domicile if the cybersecurity event involves nonpublic information and the nonpublic 26 information is in the possession or control of the third-party service provider. 27 (h) Except as provided in (f) and (g) of this section, a licensee acting as an 28 assuming insurer does not have other notice obligations relating to a cybersecurity 29 event under this section. 30 (i) A licensee that is an insurer and that becomes aware that a cybersecurity 31 event involving nonpublic information has occurred shall, as soon as possible and in a

01 form and format prescribed by the director, notify each independent insurance 02 producer of record of a consumer affected by the cybersecurity event if 03 (1) the nonpublic information is in the possession or control of the 04 licensee or the licensee's third-party service provider; 05 (2) the consumer accessed the insurer's services through the producer; 06 and 07 (3) the insurer has the current producer of record information for the 08 consumer. 09 (j) An insurer shall notify an insurance producer of a cybersecurity event 10 involving nonpublic information, not later than the date the notice is provided to the 11 affected consumers, if 12 (1) the nonpublic information is in the possession or control of a 13 licensee that is an insurer or the licensee's third-party service provider; 14 (2) the consumer accessed the insurer's services through an insurance 15 producer; and 16 (3) the insurer is required to notify affected consumers under 17 AS 21.23.240 - 21.23.399 or AS 45.48. 18 (k) An insurer is exempt from notifying an insurance producer under (j) of this 19 section if 20 (1) the producer is not authorized by law or contract to sell, solicit, or 21 negotiate on behalf of the insurer; or 22 (2) the insurer does not have the current producer information for an 23 affected consumer. 24 Sec. 21.23.290. Confidentiality. (a) Any document, material, or information in 25 the possession or control of the division that is provided by a licensee or an employee 26 or agent acting on behalf of a licensee under AS 21.23.260(f) or 21.23.280(b)(2) - (5), 27 (8), (10), or (11) or that is obtained by the director in an investigation or examination 28 under AS 21.23.310 29 (1) is confidential and privileged; 30 (2) is not subject to inspection and copying under AS 40.25.110 - 31 40.25.220;

01 (3) may not be obtained by subpoena or discovery; and 02 (4) is not admissible in evidence in a private civil action. 03 (b) The director may use a document, material, or information described in (a) 04 of this section in a regulatory or legal proceeding brought in the performance of the 05 duties of the director under this title. 06 (c) The director or an individual acting under the authority of the director who 07 receives a document, material, or information described in (a) of this section may not 08 testify about the document, material, or information in a private civil action. 09 (d) In the performance of duties under AS 21.23.240 - 21.23.399, the director 10 (1) may disclose a document, material, or information, including a 11 document, material, or information that is confidential and privileged or subject to (a) 12 of this section, to state, federal, and international regulatory or law enforcement 13 agencies, or to the National Association of Insurance Commissioners and its affiliates 14 or subsidiaries, if the recipient agrees in writing to maintain the confidentiality and 15 privileged status of the document, material, or information; 16 (2) may receive a document, material, or information, including a 17 document, material, or information that is confidential and privileged, from the 18 National Association of Insurance Commissioners and its affiliates or subsidiaries, and 19 from state, federal, and international regulatory or law enforcement agencies; the 20 director shall maintain as confidential or privileged the document, material, or 21 information if the entity that provided the director with the document, material, or 22 information requests the director to do so or gives notice to the director that the 23 document, material, or information is confidential or privileged under the law of the 24 jurisdiction supplying it; 25 (3) may disclose a document, material, or information that is subject to 26 (a) of this section with a third-party service provider if the third-party service provider 27 agrees in writing to maintain the confidentiality and privileged status of the document, 28 material, or information; and 29 (4) may enter into agreements consistent with this section governing 30 the sharing and use of a document, material, or information that is confidential or 31 privileged or subject to (a) of this section.

01 (e) A person does not waive a claim of privilege or confidentiality that the 02 person possesses by providing a document, material, or information to the director 03 under AS 21.23.240 - 21.23.399 or by the disclosure, receipt, or sharing of a 04 document, material, or information under (d) of this section. 05 Sec. 21.23.300. Applicability. (a) AS 21.23.250 and 21.23.260 do not apply to 06 (1) a licensee, including an independent contractor, with fewer than 15 07 employees; 08 (2) a licensee if the licensee is an employee, agent, representative, or 09 designee of another licensee covered by an information security program. 10 (b) AS 21.23.240 - 21.23.399 do not apply to a licensee subject to the Health 11 Insurance Portability and Accountability Act of 1996 (P.L. 104-191) if the licensee 12 (1) has established and maintains an information security program 13 under statutes, regulations, procedures, or guidelines established under the Health 14 Insurance Portability and Accountability Act of 1996 (P.L. 104-191); 15 (2) is in compliance with the statutes, regulations, procedures, and 16 guidelines established under the Health Insurance Portability and Accountability Act 17 of 1996 (P.L. 104-191); and 18 (3) submits to the director a written statement certifying that the 19 licensee is in compliance with the statutes, regulations, procedures, and guidelines 20 established under the Health Insurance Portability and Accountability Act of 1996 21 (P.L. 104-191). 22 (c) If a licensee no longer qualifies for an exception to the applicability of 23 AS 21.23.240 - 21.23.399 under this section, the licensee shall comply with 24 AS 21.23.240 - 21.23.399 within 180 days after the licensee no longer qualifies for the 25 exception. 26 Sec. 21.23.310. Enforcement; penalties. (a) In addition to the director's power 27 to examine or investigate under AS 21.06.120, the director may examine and 28 investigate the affairs of a licensee to determine whether the licensee is or has been in 29 violation of AS 21.23.240 - 21.23.399. The director shall conduct an examination or 30 investigation under this section following the same procedures applicable to an 31 examination or investigation under AS 21.06.120. The director may take necessary or

01 appropriate action to enforce AS 21.23.240 - 21.23.399. 02 (b) In addition to any other penalty provided by law, a person who violates 03 AS 21.23.240 - 21.23.399 is subject to the penalties provided under AS 21.27.440. 04 Sec. 21.23.399. Definitions. In AS 21.23.240 - 21.23.399, 05 (1) "consumer" means an individual who is a resident of the state and 06 whose nonpublic information is in a licensee's possession or control; 07 (2) "cybersecurity event" 08 (A) means an event resulting in unauthorized access to or 09 disruption or misuse of an information system or information stored on the 10 information system; 11 (B) does not include 12 (i) the unauthorized acquisition of encrypted nonpublic 13 information if the encryption's process or key is not also acquired, 14 released, or used without authorization; or 15 (ii) an event in which the licensee has determined that 16 nonpublic information accessed by an unauthorized person has not been 17 used or released and has been returned or destroyed; 18 (3) "encrypt" means transforming of data into a form that results in a 19 low probability of assigning meaning without the use of a protective process or key; 20 (4) "information security program" means the administrative, 21 technical, and physical safeguards that a licensee uses to access, collect, distribute, 22 process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic 23 information; 24 (5) "information system" means 25 (A) a discrete set of information resources organized for the 26 collection, processing, maintenance, use, sharing, dissemination, or disposition 27 of information; or 28 (B) a specialized system that may include an industrial or 29 process control system, a telephone switching and private branch exchange 30 system, or an environmental control system; 31 (6) "licensee"

01 (A) means a person licensed, authorized to operate, or 02 registered, or required to be licensed, authorized, or registered, under this title; 03 (B) does not include a purchasing group or a risk retention 04 group chartered and licensed in a state other than this state or a licensee that is 05 acting as an assuming insurer that is domiciled in another state or jurisdiction; 06 (7) "nonpublic information" means information that is not publicly 07 available information and that is 08 (A) business-related information of a licensee, the tampering 09 with which, or unauthorized disclosure, access, or use of which, would cause a 10 material adverse effect to the business, operations, or security of the licensee; 11 (B) information concerning a consumer that, because of a 12 name, number, personal mark, or other identifier, can be used to identify the 13 consumer in combination with one or more of the following data elements: 14 (i) a social security number; 15 (ii) a driver's license number or identification card 16 number; 17 (iii) a financial account, credit card, or debit card 18 number; 19 (iv) a security code, access code, or password that 20 would permit access to a consumer's financial account; or 21 (v) a biometric record; or 22 (C) information or data, except age or gender, in any form 23 created by or derived from a health care provider or a consumer that can be 24 used to identify a particular consumer and relates to 25 (i) the past, present, or future physical, mental, or 26 behavioral health or condition of a consumer or a member of the 27 consumer's family; 28 (ii) the provision of health care to a consumer; or 29 (iii) payment for the provision of health care to a 30 consumer; 31 (8) "person" means an individual or a nongovernmental entity;

01 (9) "publicly available information" means information that a licensee 02 has determined is made available to the general public from 03 (A) a federal, state, or local government record; 04 (B) a widely distributed media; or 05 (C) a disclosure to the general public that is required under 06 federal, state, or local law; 07 (10) "third-party service provider" means a person that is not a licensee 08 that, through a contract with a licensee, is permitted access to and maintains, 09 processes, or stores nonpublic information through its provision of services to the 10 licensee. 11 * Sec. 2. The uncodified law of the State of Alaska is amended by adding a new section to 12 read: 13 INDIRECT COURT RULE AMENDMENTS. (a) AS 21.23.290(a)(3), enacted by sec. 14 1 of this Act, has the effect of changing Rule 26, Alaska Rules of Civil Procedure, by 15 prohibiting discovery of evidence in the possession or control of the division of insurance that 16 is provided by a licensee or an employee or agent acting on behalf of a licensee under 17 AS 21.23.260(f) or 21.23.280(b)(2) - (5), (8), (10), or (11) or that is obtained by the director 18 in an investigation or examination under AS 21.23.310. 19 (b) AS 21.23.290(a)(4) and (c), enacted by sec. 1 of this Act, have the effect of 20 changing Rules 402 and 501, Alaska Rules of Evidence, by 21 (1) creating a new privilege that would prevent the director of the division of 22 insurance, or an individual acting under the authority of the director, from being permitted or 23 compelled to testify about confidential or privileged documents, materials, or information in a 24 private civil action; and 25 (2) precluding admissibility of evidence in a private action of documents, 26 materials, or other information in the possession or control of the division of insurance that is 27 provided by a licensee or an employee or agent acting on behalf of a licensee under 28 AS 21.23.260(f) or 21.23.280(b)(2) - (5), (8), (10), or (11) or that is obtained by the director 29 in an investigation or examination under AS 21.23.310. 30 * Sec. 3. The uncodified law of the State of Alaska is amended by adding a new section to 31 read:

01 TRANSITION: REGULATIONS. The director of the division of insurance may adopt 02 regulations necessary to implement this Act. The regulations take effect under AS 44.62 03 (Administrative Procedure Act), but not before the effective date of the law implemented by 04 the regulation. 05 * Sec. 4. The uncodified law of the State of Alaska is amended by adding a new section to 06 read: 07 CONDITIONAL EFFECT. AS 21.23.290(a)(3) and (4) and (c), enacted by sec. 1 of 08 this Act, take effect only if sec. 2 of this Act receives the two-thirds majority vote of each 09 house required by art. IV, sec. 15, Constitution of the State of Alaska. 10 * Sec. 5. Section 3 of this Act takes effect immediately under AS 01.10.070(c). 11 * Sec. 6. If AS 21.23.290(a)(3) and (4) and (c) take effect, they take effect January 1, 2025. 12 * Sec. 7. AS 21.23.250 and 21.23.260(a), (b), (c)(1) - (6), (9), and (10), and (d) - (g), 13 enacted by sec. 1 of this Act, take effect January 1, 2026. 14 * Sec. 8. AS 21.23.260(c)(7) and (8), enacted by sec. 1 of this Act, take effect January 1, 15 2027. 16 * Sec. 9. Except as provided in secs. 5 - 8 of this Act, this Act takes effect January 1, 2025.