The Vermont Statutes Online
The Vermont Statutes Online does not include the actions of the 2024 session of the General Assembly. We expect them to be updated by November 1st.
NOTE: The Vermont Statutes Online is an unofficial copy of the Vermont Statutes Annotated that is provided as a convenience.
Title 8: Banking and Insurance
Chapter 129: Insurance Trade Practices
§ 4721. Purpose
The purpose of sections 4721-4733 of this title is to regulate trade practices in the business of insurance in accordance with the intent of Congress as expressed in The McCarran-Ferguson Act, 15 U.S.C. §§ 1011-1015, by defining, or providing for the determination of, practices in this State that constitute unfair methods of competition or unfair or deceptive acts or practices and by prohibiting the trade practices so defined or determined. (Amended 1973, No. 216 (Adj. Sess.), § 1, eff. May 1, 1974.)
§ 4722. Definitions
As used in this chapter:
(1) “Person” means any individual, corporation, association, partnership, reciprocal exchange, interinsurer, Lloyds insurer, fraternal benefit society, and any other legal entity engaged in the business of insurance, including agents, brokers, appraisers, and adjusters. Person also means medical, dental, optometric, and hospital service plans as defined in this title. For the purposes of this title, medical, dental, optometric, and hospital service plans shall be deemed to be engaged in the business of insurance.
(2) “Commissioner” means the Commissioner of Financial Regulation.
(3) “Insurance policy” or “insurance contract” means any contract of insurance, indemnity, medical, dental, optometric, or hospital service, suretyship, or annuity issued, proposed for issuance, or intended for issuance by any person.
(4)(A) “Abusive litigation” means litigation or other legal action to deter, prevent, sanction, or punish any person engaging in legally protected health care activity by:
(i) filing or prosecuting any action in any other state where liability, in whole or part, directly or indirectly, is based on legally protected health care activity that occurred in this State, including any action in which liability is based on any theory of vicarious, joint, or several liability derived therefrom; or
(ii) attempting to enforce any order or judgment issued in connection with any such action by any party to the action or any person acting on behalf of a party to the action.
(B) A lawsuit shall be considered to be based on conduct that occurred in this State if any part of any act or omission involved in the course of conduct that forms the basis for liability in the lawsuit occurs or is initiated in this State, whether or not such act or omission is alleged or included in any pleading or other filing in the lawsuit.
(5) “Legally protected health care activity” has the same meaning as in 1 V.S.A. § 150. (Amended 1973, No. 216 (Adj. Sess.), § 2, eff. May 1, 1974; 1989, No. 225 (Adj. Sess.), § 25; 1995, No. 180 (Adj. Sess.), § 38; 2011, No. 78 (Adj. Sess.), § 2, eff. April 2, 2012; 2023, No. 15, § 2, eff. May 10, 2023.)
§ 4723. Unfair methods of competition or unfair or deceptive acts or practices prohibited
No person shall engage in any trade practice that is determined under this chapter to be an unfair method of competition or an unfair or deceptive act or practice in the business of insurance. (Amended 1973, No. 216 (Adj. Sess.), § 3, eff. May 1, 1974.)
§ 4724. Unfair methods of competition or unfair or deceptive acts or practices defined
The following are hereby defined as unfair methods of competition or unfair or deceptive acts or practices in the business of insurance:
(1) Misrepresentations and false advertising of insurance policies. Making, issuing, circulating, or causing to be made, issued, or circulated, any estimate, illustration, circular, statement, sales presentation, omission, or comparison that:
(A) misrepresents or fails to adequately disclose the benefits, advantages, conditions, exclusions, limitations, or terms of any insurance policy; or
(B) misrepresents the dividends or share of the surplus to be received on any insurance policy; or
(C) makes any false or misleading statements as to the dividends or share of surplus previously paid on any insurance policy; or
(D) is misleading or is a misrepresentation as to the financial condition of any person, or as to the legal reserve system upon which any life insurer operates; or
(E) uses any name or title of any insurance policy or class of insurance policies misrepresenting the true nature thereof; or
(F) is a misrepresentation for the purpose of inducing or tending to induce the lapse, forfeiture, exchange, conversion, or surrender of any insurance policy; or
(G) is a misrepresentation for the purpose of effecting a pledge or assignment of or effecting a loan against any insurance policy; or
(H) misrepresents any insurance policy as being shares of stock.
(2) False information and advertising generally. Making, publishing, disseminating, circulating, or placing before the public or causing, directly or indirectly, to be made, published, disseminated, circulated, or placed before the public, in a newspaper, magazine, or other publication, in the form of a notice, circular, pamphlet, letter, or poster or over any radio station or television station, or in any other way, an advertisement, announcement, or statement containing any assertion, representation, or statement with respect to the business of insurance or with respect to any person in the conduct of his or her business that is untrue, deceptive, or misleading.
(3) Defamation. Making, publishing, disseminating, or circulating, directly or indirectly, or aiding, abetting, or encouraging the making, publishing, disseminating, or circulating of any oral or written statement or any pamphlet, circular, article or literature that is false, or maliciously critical of or derogatory to the financial condition of any person and which is calculated to injure such person.
(4) Boycott, coercion, and intimidation.
(A) Entering into any agreement to commit, or by any concerted action committing, any act of boycott, coercion, or intimidation resulting in or tending to result in unreasonable restraint of trade, or monopoly in, the business of insurance.
(B) Committing any act of boycott, coercion, or intimidation in the marketing or sale of any insurance contracts.
(5) False financial statements and entries.
(A) Knowingly filing with any supervisory or other public official, or knowingly making, publishing, disseminating, circulating, or delivering to any person, or placing before the public, or knowingly causing directly or indirectly, to be made, published, disseminated, circulated, delivered to any person, or placed before the public, any false material statement of fact as to the financial condition of a person.
(B) Knowingly making any false entry of a material fact in a book, report, or statement of any person or knowingly omitting to make a true entry of any material fact pertaining to the business of such person in any book, report, or statement of such person.
(C) Knowingly concealing, withholding or destroying, mutilating, altering, or by any means falsifying any documentary material in the possession, custody, or control of any person after that person:
(i) has received a complaint to which that documentary material is directly relevant; or
(ii) knows that the documentary material is relevant to an investigation or an examination of that person being made by the Commissioner.
(6) Stock operations and advisory board contracts. Permitting agents, officers, or employees to issue or deliver agency or company stock or other capital stock, or benefit certificates or share in any common-law corporation, or securities or any special or advisory board contracts or other contracts of any kind promising returns and profits as an inducement to insure.
(7) Unfair discrimination; arbitrary underwriting action.
(A) Making or permitting any unfair discrimination between insureds of the same class and equal risk in the rates charged for any contract of insurance, or in the dividends or other benefits payable thereon, or in any other of the terms and conditions of such contracts.
(B) Making or permitting unfair discrimination against an applicant or an insured, on the basis of the sex, sexual orientation, gender identity, or marital status of the applicant or insured, with regard to:
(i) underwriting standards and practices or eligibility requirements; or
(ii) rates; however, nothing in this subdivision shall prevent any person who contracts to insure another from setting rates for such insurance in accordance with reasonable classifications based on relevant actuarial data or actual cost experience in accordance with section 4686 of this title.
(C)(i) Inquiring or investigating, directly or indirectly, as to an applicant’s, an insured’s, or a beneficiary’s sexual orientation, or gender identity in an application for insurance coverage or in an investigation conducted by an insurer, reinsurer, or insurance support organization in connection with an application for such coverage, or using information about gender, marital status, medical history, occupation, residential living arrangements, beneficiaries, zip codes, or other territorial designations to determine sexual orientation or gender identity.
(ii) Using sexual orientation, gender identity, or beneficiary designation in the underwriting process or in the determination of insurability.
(iii) Making adverse underwriting decisions because medical records or a report from an insurance support organization reveal that an applicant or insured has demonstrated HIV-related concerns by seeking counseling from health care professionals.
(iv) Making adverse underwriting decisions on the basis of the existence of nonspecific blood code information received from the medical information bureau or a national data bank, but this prohibition shall not bar investigation in response to such a nonspecific blood code.
(v) The provisions of this subdivision (C) shall not be construed to prohibit an insurer from requesting an applicant or insured to take an HIV-related test on the basis of the health history or current condition of health of the applicant or insured in accordance with the provisions of subdivision (20) of this section.
(D) Making or permitting any unfair discrimination against any individual by conditioning insurance rates, the provision or renewal of insurance coverage, or other conditions of insurance based on medical information, including the results of genetic testing, where there is not a relationship between the medical information and the cost of the insurance risk that the insurer would assume by insuring the proposed insured. In demonstrating the relationship, the insurer can rely on actual or reasonably anticipated experience. As used in this subdivision, “genetic testing” shall be defined as the term is defined in 18 V.S.A. § 9331(7).
(E) Making or permitting unfair discrimination between married couples and parties to a civil union as defined under 15 V.S.A. § 1201, with regard to the offering of insurance benefits to a couple, a spouse, a party to a civil union, or their family. The Commissioner shall adopt rules necessary to carry out the purposes of this subdivision. The rules shall ensure that insurance contracts and policies offered to married couples, spouses, and families are also made available to parties to a civil union and their families. The Commissioner may adopt by order standards and a process to bring the forms currently on file and approved by the Department into compliance with Vermont law. The standards and process may differ from the provisions contained in chapter 101, subchapter 6, and sections 4062, 4201, 4515a, 4587, 4685, 4687, 4688, 4985, 5104, and 8005 of this title where, in the Commissioner’s opinion, the provisions regarding filing and approval of forms are not desirable or necessary to effectuate the purposes of this section.
(F)(i) Discriminating against a health care provider, as defined by 18 V.S.A. § 9496, or adjusting or otherwise calculating a health care provider’s risk classification or premium charges on the basis that:
(I) the health care provider provides or assists in the provision of legally protected health care activity that is unlawful in another state;
(II) another state’s laws create potential or actual liability for that activity;
(III) abusive litigation against a provider concerning legally protected health care activity resulted in a claim, settlement, or judgement against the provider; or
(IV) the license of the provider has been disciplined in any way by another state based solely on the provider’s provision of legally protected health care activity.
(ii) For purposes of this subdivision (F), it shall not be unfairly discriminatory nor an arbitrary underwriting action against a health care provider if the risk classifications, premium charges, or other underwriting considerations are based on factors other than those listed in subdivision (i) of this subdivision (F).
(8) Rebates.
(A) Except as otherwise expressly provided by law, knowingly permitting or offering to make or making any contract of insurance or agreement as to such contract other than as plainly expressed in the insurance contract issued thereon, or paying or allowing, or giving or offering to pay, allow, or give, directly or indirectly, as inducement to such insurance, any rebate or premiums payable on the contract, or any special favor or advantage in the dividends or other benefits thereon, or any valuable consideration or inducement whatever not specified in the contract; or giving, or selling, or purchasing or offering to give, sell, or purchase as inducement to such insurance contract or annuity or in connection therewith, any stocks, bonds, or other securities of any insurance company or other corporation, association, or partnership, or any dividends or profits accrued thereon, or anything of value whatsoever of value not specified in the contract.
(B) Making available through any rating plan or form, property, casualty, or surety insurance to any firm, corporation, or association of individuals, any preferred rate or premium based upon any fictitious grouping of such firm, corporation, or individuals. The grouping of risks by way of membership, nonmembership, license, franchise, employment, contract, agreement, or any other method or means, when the grouping of risks have no preferred characteristic over similar risks written on an individual basis, for the purpose of insuring such grouped risks at a preferred rate or premium or on a preferred form is a “fictitious grouping.” This subdivision shall not apply to life or health and disability insurance or annuity contracts.
(C) Nothing in subdivision (7) or (8)(A) of this section shall be construed as including within the definition of discrimination or rebates any of the following practices:
(i) in the case of any contract of life insurance or life annuity, paying bonuses to policyholders or otherwise abating their premiums in whole or in part out of surplus accumulated from nonparticipating insurance, provided that such bonuses or abatement of premiums shall be fair, and equitable to policyholders and for the best interests of the company and its policyholders;
(ii) in the case of life insurance policies issued on the industrial debit plan, making allowance to policyholders who have continuously for a specified period made premium payments directly to an office of the insurer in an amount that fairly represents the saving in collection expenses;
(iii) readjustment of the rate of premium for a group insurance policy based on the loss or expense under the group insurance policy at the end of the first or any subsequent policy year of insurance under the group policy, which may be made retroactive only for such policy year;
(iv) the offer or provision by insurers, by or through employees, affiliates, or third-party representatives of value-added products or services at no or reduced cost, even when such products or services are not specified in the insurance policy, provided the product or service meets each of the following criteria:
(I) The product or service relates to the insurance coverage.
(II) The product or service is primarily designed to satisfy one or more of the following:
(aa) provide loss mitigation or loss control;
(bb) reduce claim costs or claim settlement costs;
(cc) provide education about liability risks or risk of loss to persons or property;
(dd) monitor or assess risk, identify sources of risk, or develop strategies for eliminating or reducing risk;
(ee) enhance health;
(ff) enhance financial wellness through items such as education or financial planning services;
(gg) provide post-loss service;
(hh) incent behavioral changes to improve health or reduce the risk of death or disability or an insured or potential insured; or
(ii) assist in the administration of the employee or retiree benefit insurance coverage.
(III) The cost to the insurer offering the product or service to any given customer is determined by the Commissioner to be reasonable in comparison to that customer’s premiums or insurance coverage for the policy class.
(IV) The insurer, providing the product or service directly or through a producer, ensures that the customer is provided with contact information to assist the customer with questions regarding the product or service.
(V) The availability of the product or service is based on documented objective criteria and offered in a manner that is not unfairly discriminatory.
(VI) Within 10 days after offering or providing a product or service pursuant to subdivision (8)(C)(iv) of this section, the insurer submits to the Commissioner a description of the offer or provision, accompanied by an explanation of how each criterion in this subdivision (8)(C)(iv) of this section is met.
(D) An insurer, producer, or representative of either may not offer or provide insurance as an inducement to the purchase of another policy or otherwise use the words “free” or “no cost” or words of similar import in an advertisement.
(9) Unfair claim settlement practices. Committing or performing with such frequency as to indicate a business practice any of the following:
(A) misrepresenting pertinent facts or insurance policy provisions relating to coverage at issue;
(B) failing to acknowledge and act reasonably promptly upon communications with respect to claims arising under insurance policies;
(C) failing to adopt and implement reasonable standards for the prompt investigation of claims arising under insurance policies;
(D) refusing to pay claims without conducting a reasonable investigation based upon all available information;
(E) failing to affirm or deny coverage of claims within a reasonable time after proof of loss statements have been completed;
(F) not attempting in good faith to effectuate prompt, fair, and equitable settlements of claims in which liability has become reasonably clear;
(G) attempting to settle a claim for less than the amount to which a reasonable person would have believed he or she was entitled by reference to written or printed advertising material accompanying or made a part of the application;
(H) attempting to settle claims on the basis of an application that was altered without notice to, or knowledge or consent of the insured;
(I) making claim payments to insureds or beneficiaries not accompanied by a statement setting forth the coverage under which the payments are made;
(J) making known to insureds or claimants a policy of appealing from arbitration awards in favor of insureds or claimants for the purpose of compelling them to accept settlements or compromises less than the amount awarded in arbitration;
(K) delaying the investigation or payment of claims by requiring an insured, claimant, or the physician of either to submit a preliminary claim report and then requiring the subsequent submission of formal proof of loss forms, both of which submissions contain substantially the same information;
(L) failing to promptly settle claims where liability has become reasonably clear under one portion of the insurance policy coverage in order to influence settlements under other portions of the insurance policy coverage;
(M) failing to promptly provide a reasonable explanation on the basis in the insurance policy in relation to the facts or applicable law for denial of a claim or for the offer of a compromise settlement.
(10) Failure to maintain complaint handling procedures. Failure of any person to maintain a complete record of all of the complaints that it has received since the date of its last examination under section 3563 or 3564 of this title. This record shall indicate the total number of complaints, their classification by line of insurance, the nature of each complaint, the disposition of these complaints, the time it took to process each complaint, and such other information as the Commissioner may require. As used in this subdivision, “complaint” shall mean any written communication primarily expressing a grievance.
(11) Misrepresentation in insurance applications. Making false or fraudulent statements or representations on or relative to an application for an insurance policy, for the purpose of obtaining a fee, commission, money, or other benefit from any insurers, agent, broker, or individual.
(12) Failure of agent, broker, or insurer to act as fiduciary. Failure of any insurance agent, broker, or insurer to act as a fiduciary in regard to premiums, return premiums, or other sums of money received by him or her in his or her capacity as insurance agent, insurance broker, or insurer by failure to pay or transmit in a timely manner those sums of money to the persons to whom it is owed.
(13) Misrepresentation of services or products. Any person offering his or her or its services or insurance policies to the public in such a way as to mislead or to fail to adequately disclose to the public the true nature of the policies or the services offered.
(14) Nondisclosure of fees or charges. Failure of any agent or broker to obtain a prior written agreement with a client, policyholder, or other member of the public concerning fees or charges made by that agent or broker directly to the client, policyholder, or member of the public for that agent or broker procuring, servicing, or providing advice on insurance contracts. Commissions, expense allowances, bonuses, fees, or any other compensation received directly by agents or brokers from any legal entity engaged in the insurance business is exempt from this subdivision.
(15) Financed premiums. Misrepresenting or failing to completely disclose the terms, conditions, or benefits of financing premiums for insurance policies where the financing of the premiums constitute part of the solicitation or sale of the policy.
(16) Unsuitable policies. Soliciting, selling, or issuing an insurance policy when the person soliciting, selling, or issuing the policy has reason to know or should have reason to know that it is unsuitable for the person purchasing it.
(17) Failure to instruct or supervise representatives. Failure of an employer or principal engaged in the business of insurance to instruct or supervise any full-time agent, or full-time adjuster, or full- or part-time employee after that employer or principal has knowledge of a deceptive or unfair act or practice prohibited by this chapter that was committed by that agent, adjuster, or employee.
(18) Doing business with a person known to be committing deceptive or unfair acts or using prohibited practices. Accepting business from or contracting with or continuing contractual relations with a person whom the other person knows or has or should have reason to know is repeatedly committing deceptive or unfair acts or practices prohibited by this title.
(19) Failure to comply with filed rates, rules, regulations, or forms. Failure to comply with any rates, rules, regulations, or forms filed with the Commissioner.
(20) HIV-related tests. Failing to comply with the provisions of this subdivision regarding HIV-related tests. “HIV-related test” means a test approved by the U.S. Food and Drug Administration, included in the current Centers for Disease Control and Prevention recommended laboratory HIV testing algorithm for serum or plasma specimens, used to determine the existence of HIV antibodies or antigens in the blood.
(A) No person shall request or require that a person reveal having taken HIV-related tests in the past.
(B)(i) No person shall request or require that an individual submit to an HIV-related test unless he or she has first obtained the individual’s written informed consent to the test. Before written, informed consent may be granted, the individual shall be informed, by means of a printed information statement that shall have been read aloud to the individual by any agent of the insurer at the time of application or later and then given to the individual for review and retention, of the following:
(I) an explanation of the test or tests to be given, including: the tests’ relationship to AIDS, the insurer’s purpose in seeking the test, potential uses and disclosures of the results, limitations on the accuracy of and the meaning of the test’s results, the importance of seeking counseling about the individual’s test results after those results are received, and the availability of information from and the telephone numbers of the Vermont Department of Health and the Centers for Disease Control and Prevention; and
(II) an explanation that the individual is free to consult, at personal expense, with a personal physician or counselor or the Vermont Department of Health, which shall remain confidential, or to obtain an anonymous test at the individual’s choice and personal expense, before deciding whether to consent to testing and that such delay will not affect the status of any application or policy; and
(III) a summary of the individual’s rights under this subdivision (20), including subdivisions (F)-(K); and
(IV) an explanation that the person requesting or requiring the test, not the individual or the individual’s health care provider, will be billed for the test, that the individual has a choice to receive the test results directly or to designate in writing prior to the administration of the test any other person through whom to receive the results, and any HIV positive test result from a test performed pursuant to this subdivision (20) shall be reported to the Vermont Department of Health pursuant to 18 V.S.A. § 1001.
(C) The forms for informed consent, information disclosure, and test results disclosure used for HIV-related testing shall be filed with and approved by the Commissioner pursuant to section 3541 of this title.
(D) HIV-related tests required by insurers or insurance support organizations must be processed in a laboratory certified under the Clinical Laboratory Improvement Act, 42 U.S.C. § 263a, or that meets the requirements of the federal Health Care Financing Administration under the Clinical Laboratory Improvement Amendments.
(E) The test protocol shall be considered positive only if testing results meet the most current Centers for Disease Control and Prevention recommended laboratory HIV testing algorithm or more reliable confirmatory test or test protocol that has been approved by the U.S. Food and Drug Administration.
(F) If the HIV-1/2 antibody differentiation test result is indeterminate, the insurer may delay action on the application, but no change in preexisting coverage, benefits, or rates under any separate policy or policies held by the individual shall be based upon such indeterminacy. If the HIV-1 NAT test result is negative, a new application for coverage shall not be denied by the insurer. If the HIV-1 NAT test is invalid, the full testing algorithm shall be repeated. No application for coverage shall be denied based on an indeterminate or invalid result. Any underwriting decision granting a substandard classification or exclusion based on the individual’s prior HIV-related test results shall be reversed, and the company performing any previous HIV-related testing that had forwarded to a medical information bureau reports based upon the individual’s prior HIV-related test results shall request the medical information bureau to remove any abnormal codes listed due to such prior test results.
(G)(i) Upon the written request of an individual for a retest, an insurer shall retest, at the insurer’s expense, any individual who was denied insurance, or offered insurance on any other than a standard basis, because of the positive results of an HIV-related test:
(I) once within the three-year period following the date of the most recent test; and
(II) in any event, upon updates to the Centers for Disease Control and Prevention recommended laboratory HIV testing algorithm for serum or plasma specimens.
(ii) If such retest is negative, a new application for coverage shall not be denied by the insurer based upon the results of the initial test. Any underwriting decision granting a substandard classification or exclusion based on the individual’s prior HIV-related test results shall be reversed, and the company performing a retest that had forwarded to a medical information bureau reports based upon the individual’s prior HIV-related test results shall request the medical information bureau to remove any abnormal codes listed due to such prior test results.
(H) An insurer, on the basis of the individual’s written informed consent as specified in subdivision (B) of this subdivision, if necessary to make underwriting decisions regarding the particular individual’s application, may disclose the results of an individual’s HIV-related test results to its reinsurers, or to those contractually retained medical personnel, laboratories, insurance support organizations, and insurance affiliates (but not agents or brokers) that are involved in underwriting decisions regarding the individual’s particular application. Other than the disclosures permitted by this subdivision, the entities listed herein, including the insurer, shall not further disclose to anyone individually identified HIV-related test result information without a separately obtained written authorization from the individual; provided, however, that if an individual’s test result is positive or indeterminate, then an insurer may report a code to the medical information bureau, provided that a nonspecific test result code is used that does not indicate that the individual was subjected to HIV-related testing.
(I) An insurer, reinsurer, contractually retained medical personnel, laboratories, medical information bureau, or other national data bank, insurance affiliate, or insurance support organizations that are obligated not to disclose any individually identifiable records of HIV-related tests pursuant to this subdivision (20) shall have no duty to disclose this information to any person except in compliance with a court order or as provided in subdivision (B) or (H) nor shall it have any liability to any person for refusing or failing to disclose such information.
(J) Any individual who sustains damage as a result of the unauthorized negligent or knowing disclosure of that individual’s individually identifiable HIV-related test result information in violation of subdivision (H) of this subdivision (20) may bring an action for appropriate relief in Superior Court against any person making such a disclosure. The Court may award costs and reasonable attorney’s fees to the individual who prevails in an action brought under this subdivision.
(K) In addition to any other remedy or sanction provided by law, after notice and opportunity for hearing, the Commissioner may assess an administrative penalty in an amount not to exceed $2,000.00 for each violation against any person who violates any provision of this subdivision (20) or subdivision (7)(C) of this section.
(21) Automobile glass services. In the case of claims for damage to automobile glass under a policy of insurance covering, in whole or in part, motor vehicles:
(A) Failing to inform an insured, at the time a claim is made, of the right of the insured to choose freely any company or location for providing automobile glass services.
(B) Intimidating, coercing, threatening, or misinforming an insured for the purpose of inducing the insured to use a particular company or location to provide automobile glass services.
(22) Genetic testing.
(A) Conditioning insurance rates, the provision or renewal of insurance coverage or benefits or other conditions of insurance for any individual on:
(i) any requirement or agreement of the individual to undergo genetic testing; or
(ii) the results of genetic testing of a member of the individual’s family unless the results are contained in the individual’s medical record.
(B) As used in this subdivision, “genetic testing” shall be defined as the term is defined in 18 V.S.A. § 9331(7).
(ii) In addition, before drawing blood, the person doing so shall give the individual to be tested an informed consent form containing the information required by the provisions of this subdivision (B), and shall then obtain the individual’s written informed consent. (Amended 1967, No. 186, eff. April 17, 1967; 1973, No. 216 (Adj. Sess.), § 4, eff. May 1, 1974; 1975, No. 180 (Adj. Sess.); 1979, No. 28, § 5; 1987, No. 194 (Adj. Sess.), §§ 1, 2; 1991, No. 135 (Adj. Sess.), § 7; 1991, No. 194 (Adj. Sess.); 1997, No. 160 (Adj. Sess.), § 5a, eff. Jan. 1, 1999; 1999, No. 91 (Adj. Sess.), § 17, eff. Jan. 1, 2001; 2001, No. 23, § 1; 2007, No. 41, § 9; 2007, No. 73, § 3, eff. April 1, 2008; 2019, No. 57, § 15; 2019, No. 103 (Adj. Sess.), § 22; 2021, No. 139 (Adj. Sess.), § 8, eff. May 27, 2022; 2023, No. 15, § 2, eff. May 10, 2023.)
§ 4725. Favored agent or insurer; coercion of debtors
(a) No person may:
(1) require, as a condition precedent to the lending of money or extension of credit, or any renewal thereof, that the person to whom such money or credit is extended or whose obligation the creditor is to acquire or finance, negotiate any policy or contract of insurance through a particular insurer or group of insurers or agent or broker or group of agents or brokers;
(2) unreasonably disapprove the insurance policy provided by a borrower for the protection of property securing the credit or lien; for the purpose of this subdivision, this disapproval shall be deemed unreasonable if it is not based solely on reasonable standards uniformly applied, relating to the extent of coverage required and the financial soundness and service of an insurer; these standards shall not discriminate against a particular type of insurer, nor shall these standards call for the disapproval of an insurance policy because the policy contains coverage in addition to that required;
(3) require directly or indirectly that any borrower, mortgagor, purchaser, insurer, broker, or agent pay a separate charge to substitute the insurance policy of one insurer for that of another. This subdivision does not include the interest that may be charged on premium loans or premium advancements in accordance with the security instrument;
(4) use or disclose information resulting from a requirement that a borrower, mortgagor, or purchaser furnish insurance of any kind on real property being conveyed or used as collateral security to a loan, when this information is to the advantage of the mortgagee, vendor, or lender, or is to the detriment of the borrower, mortgagor, purchaser, insurer, or the agent of broker complying with this request.
(b) The Commissioner may investigate any person to whom this section applies to determine whether such person has violated this section. (Amended 1973, No. 216 (Adj. Sess.), § 5, eff. May 1, 1974.)
§ 4726. Power of Commissioner; enforcement
(a) The Commissioner shall have the power to examine and investigate any person engaged in the business of insurance in this State in order to determine whether that person has been or is engaged in any unfair method of competition or in any unfair or deceptive act or practice.
(b) Any person violating any of the provisions of this chapter may be subject to an administrative penalty of not more than $1,000.00 for each violation. The Commissioner may impose an administrative penalty of not more than $10,000.00 each for those violations the Commissioner finds were willful. The Commissioner may suspend or revoke the license of any insurer or organization for any violation of this chapter or the failure to comply with an order of the Commissioner issued under this chapter.
(c) The powers vested in the Commissioner by this chapter shall be in addition to any other powers to enforce any penalties, fines, or forfeitures authorized by law with respect to the methods, acts, and practices hereby declared to be unfair or deceptive. (Amended 1973, No. 216 (Adj. Sess.), § 6, eff. May 1, 1974; 1979, No. 28 § 6; 1995, No. 167 (Adj. Sess.), § 19, eff. May 15, 1996; 2021, No. 105 (Adj. Sess.), § 225, eff. July 1, 2022.)
§ 4727. Personal insurance; use of credit information
(a) Purpose. The purpose of this section is to regulate the use of credit information for personal insurance so that consumers are afforded certain protections with respect to the use of such information.
(b) Scope. This section applies to personal insurance and not to commercial insurance. As used in this section, “personal insurance” means private passenger automobile, homeowners, motorcycle, mobile home owners, and noncommercial dwelling fire insurance policies. Such policies must be underwritten for personal, family, or household use. No other types of insurance shall be included as personal insurance for the purpose of this section.
(c) Definitions. As used in this section:
(1) “Adverse action” means a denial or cancellation of, an increase in any charge for, or a reduction or other adverse or unfavorable change in the terms of coverage or amount of, any insurance, existing or applied for, in connection with the underwriting of personal insurance.
(2) “Affiliate” means any company that controls, is controlled by, or is under common control with another company.
(3) “Applicant” means an individual who has applied to be covered by a personal insurance policy with an insurer.
(4) “Consumer” means an insured whose credit information is used or whose insurance score is calculated in the underwriting or rating of a personal insurance policy or an applicant for such a policy.
(5) “Consumer reporting agency” means any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.
(6) “Credit information” means any credit related information derived from a credit report, found on a credit report itself, or provided on an application for personal insurance. Information that is not credit related shall not be considered “credit information,” regardless of whether it is contained in a credit report or in an application or is used to calculate an insurance score.
(7) “Credit report” means any written, oral, or other communication of information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, or credit capacity that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor to determine personal insurance premiums, eligibility for coverage, or tier placement.
(8) “Insurance score” means a number or rating that is derived from an algorithm, computer application, model, or other process that is based in whole or in part on credit information for the purposes of predicting the future insurance loss exposure of an individual applicant or insured.
(d) Use of credit information. An insurer authorized to do business in this State that uses credit information to underwrite or rate risks shall not:
(1) Use an insurance score that is calculated using income, gender, address, zip code, ethnic group, religion, marital status, or nationality of the consumer as a factor.
(2) Deny, cancel, or nonrenew a policy of personal insurance solely on the basis of credit information without consideration of any other applicable underwriting factor independent of credit information and not expressly prohibited by subdivision (1) of this subsection.
(3) Base an insured’s renewal rates for personal insurance solely upon credit information without consideration of any other applicable factor independent of credit information.
(4) Take an adverse action against a consumer solely because he or she does not have a credit card account without consideration of any other applicable factor independent of credit information.
(5) Consider an absence of credit information or an inability to calculate an insurance score in underwriting or rating personal insurance unless the insurer does one of the following:
(A) treats the consumer as otherwise approved by the Commissioner if the insurer presents information that such an absence or inability relates to the risk for the insurer;
(B) treats the consumer as if the applicant or insured had neutral credit information, as defined by the insurer; or
(C) excludes the use of credit information as a factor and uses only other underwriting criteria.
(6) Take an adverse action against a consumer based on credit information unless an insurer obtains and uses a credit report issued or an insurance score calculated within 90 days from the date the policy is first written or renewal is issued.
(7) Use credit information unless not later than every 36 months following the last time that the insurer obtained current credit information for the insured, the insurer recalculates the insurance score or obtains an updated credit report. Regardless of the requirements of this subsection:
(A) At annual renewal, upon the request of a consumer or the consumer’s agent, the insurer shall reunderwrite and rerate the policy based upon a current credit report or insurance score. An insurer need not recalculate the insurance score or obtain the updated credit report of a consumer more frequently than once in a 12-month period.
(B) The insurer shall have the discretion to obtain current credit information upon any renewal before the 36 months if consistent with its underwriting guidelines.
(C) No insurer need obtain current credit information for an insured, despite the requirements of subdivision (A) of this subdivision (7), if one of the following applies:
(i) The insurer is treating the consumer as otherwise approved by the Commissioner.
(ii) The insured is in the most favorably priced tier of the insurer within a group of affiliated insurers. However, the insurer shall have the discretion to order such report if consistent with its underwriting guidelines.
(iii) Credit was not used for underwriting or rating such insured when the policy was initially written. However, the insurer shall have the discretion to use credit for underwriting or rating such insured upon renewal if consistent with its underwriting guidelines.
(iv) The insurer reevaluates the insured beginning not later than 36 months after inception and thereafter based upon other underwriting or rating factors, excluding credit information.
(8) Use the following as a negative factor in any insurance scoring methodology or in reviewing credit information for the purpose of underwriting or rating a policy of personal insurance:
(A) credit inquiries not initiated by the consumer or inquiries requested by the consumer for his or her own credit information;
(B) inquiries relating to insurance coverage, if so identified on a consumer’s credit report;
(C) collection accounts with a medical industry code, if so identified on the consumer’s credit report;
(D) multiple lender inquiries if coded by the consumer reporting agency on the consumer’s credit report as being from the home mortgage industry and made within 30 days of one another unless only one inquiry is considered; and
(E) multiple lender inquiries if coded by the consumer reporting agency on the consumer’s credit report as being from the automobile lending industry and made within 30 days of one another unless only one inquiry is considered.
(e) Extraordinary life circumstances.
(1) Notwithstanding any other law or rule to the contrary, an insurer that uses credit information shall, on written request from an applicant for insurance coverage or an insured, provide reasonable exceptions to the insurer’s rates, rating classifications, company or tier placement, or underwriting rules or guidelines for a consumer who has experienced and whose credit information has been directly influenced by any of the following events:
(A) a catastrophic event, as declared by the federal or State government;
(B) a serious illness or injury or a serious illness or injury to an immediate family member;
(C) the death of a spouse, child, or parent;
(D) divorce or involuntary interruption of legally owed alimony or support payments;
(E) identity theft;
(F) the temporary loss of employment for a period of three months or more if it results from involuntary termination;
(G) military deployment overseas; or
(H) other events as determined by the insurer.
(2) If an applicant or insured submits a request for an exception as set forth in subdivision (1) of this subsection, an insurer may, in its sole discretion, but is not mandated to:
(A) require the consumer to provide reasonable written and independently verifiable documentation of the event;
(B) require the consumer to demonstrate that the event had direct and meaningful impact on the consumer’s credit information;
(C) require such request be made not more than 60 days from the date of the application for insurance or the policy renewal;
(D) grant an exception despite the consumer not providing the initial request for an exception in writing; or
(E) grant an exception where the consumer asks for consideration of repeated events or the insurer has considered this event previously.
(3) An insurer is not out of compliance with any law or rule relating to underwriting, rating, or rate filing as a result of granting an exception under this section. Nothing in this section shall be construed to provide a consumer or other insured with a cause of action that does not exist in the absence of this section.
(4) The insurer shall provide notice to consumers that reasonable exceptions are available and information about how the consumer may inquire further.
(5) Within 30 days following the insurer’s receipt of sufficient documentation of an event described in subdivision (1) of this subsection, the insurer shall inform the consumer of the outcome of the request for a reasonable exception. Such communication shall be in writing or provided to an applicant in the same medium as the request.
(f) Dispute resolution and error correction. If it is determined through the dispute resolution process set forth in the federal Fair Credit Reporting Act, 15 U.S.C. § 1681i(a)(5), that the credit information of a current insured was incorrect or incomplete and if the insurer receives notice of such determination from either the consumer reporting agency or from the insured, the insurer shall reunderwrite and rerate the consumer within 30 days following receiving the notice. After reunderwriting or rerating the insured, the insurer shall make any adjustments necessary, consistent with its underwriting and rating guidelines. If an insurer determines that the insured has overpaid the premium, the insurer shall refund to the insured the amount of overpayment calculated back to the shorter of either the last 12 months of coverage or the actual policy period.
(g) Initial notification.
(1) If an insurer writing personal insurance uses credit information in underwriting or rating a consumer, the insurer or its agent shall disclose, either on the insurance application or at the time the insurance application is taken, that it may obtain credit information in connection with such application. Such disclosure shall be either written or provided to an applicant in the same medium as the application for insurance. The insurer need not provide the disclosure statement required under this section to any insured on a renewal policy if such consumer has previously been provided a disclosure statement.
(2) Use of the following example disclosure statement constitutes compliance with this section: “In connection with this application for insurance, we may review your credit report or obtain or use a credit-based insurance score based on the information contained in that credit report. We may use a third party in connection with the development of your insurance score.”
(h) Adverse action notification. If an insurer takes an adverse action based upon credit information, the insurer must meet the notice requirements of this subsection. Such insurer shall:
(1) Provide notification to the consumer that an adverse action has been taken, in accordance with the requirements of the federal Fair Credit Reporting Act, 15 U.S.C. § 1681m(a).
(2) Provide notification to the consumer explaining the reason for the adverse action. The reasons must be provided in sufficiently clear and specific language so that a person can identify the basis for the insurer’s decision to take an adverse action. Such notification shall include a description of up to four factors that were the primary influences of the adverse action. The use of generalized terms such as “poor credit history,” “poor credit rating,” or “poor insurance score” does not meet the explanation requirements of this subsection. Standardized credit explanations provided by consumer reporting agencies or other third-party vendors are deemed to comply with this section.
(i) Plain language. In any written communication or notification to a consumer pursuant to this section, an insurer shall use clear and plain language that is understandable to the average consumer.
(j) Filing. Insurers that use insurance scores to underwrite and rate risks must file their scoring models, or other scoring processes, with the Department of Financial Regulation. A third party may file scoring models on behalf of insurers. A filing that includes insurance scoring may include loss experience justifying the use of credit information. Any filing relating to credit information is considered a trade secret and is not subject to disclosure under Vermont’s Public Records Act.
(k) Indemnification. An insurer shall indemnify, defend, and hold agents harmless from and against all liability, fees, and costs arising out of or relating to the actions, errors, or omissions of a producer who obtains or uses credit information or insurance scores, or both, for an insurer, provided the producer follows the instructions of or procedures established by the insurer and complies with any applicable law or rule. Nothing in this section shall be construed to provide a consumer or other insured with a cause of action that does not exist in the absence of this section.
(l) Sale of policy term information by consumer reporting agency. A consumer reporting agency shall not provide or sell data or lists that include any information that in whole or in part was submitted in conjunction with an insurance inquiry about a consumer’s credit information or a request for a credit report or insurance score. Such information includes the expiration dates of an insurance policy or any other information that may identify time periods during which a consumer’s insurance may expire and the terms and conditions of the consumer’s insurance coverage. The restrictions provided in this subsection do not apply to data or lists the consumer reporting agency supplies to the insurance producer from whom information was received, the insurer on whose behalf such producer acted, or such insurer’s affiliates or holding companies. Nothing in this section shall be construed to restrict any insurer from being able to obtain a claims history report or a motor vehicle report. (Added 2017, No. 179 (Adj. Sess.), § 6, eff. May 28, 2018.)
§ 4728. Insurance data security
(a) Title. This section shall be known and may be cited as the “Vermont Insurance Data Security Law.”
(b) Construction.
(1) Notwithstanding any other provision of law, this section establishes the exclusive State standards applicable to licensees for data security and for the investigation of a cybersecurity event.
(2) This section shall not be construed to change any aspect of the Security Breach Notice Act, 9 V.S.A. § 2435.
(3) This section may not be construed to create or imply a private cause of action for violation of its provisions, nor may it be construed to curtail a private cause of action that would otherwise exist in the absence of this section.
(4) A licensee in compliance with N.Y. Comp. Codes R. & Regs. Title 23, section 500, Cybersecurity Requirements for Financial Services Companies, effective March 1, 2017, shall be considered to meet the requirements of this section, provided that the licensee submits a written statement to the Commissioner certifying such compliance.
(c) Definitions. As used in this section:
(1) “Authorized person” means a person known to and screened by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems.
(2) “Consumer” means an individual, including an applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of this State and whose nonpublic information is in a licensee’s possession, custody, or control.
(3) “Cybersecurity event” means an event resulting in unauthorized access to or disruption or misuse of an information system or nonpublic information stored on such information system. The term “cybersecurity event” does not include:
(A) the unauthorized acquisition of encrypted nonpublic information if the encryption, protective process, or key is not also acquired, released, or used without authorization; or
(B) an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
(4) “Encrypted” means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.
(5) “Information security program” means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.
(6) “Information system” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system such as an industrial/process controls system, telephone switching and private branch exchange system, or environmental control system.
(7) “Licensee” means a person licensed, authorized to operate, or registered or required to be licensed, authorized, or registered pursuant to the insurance laws of this State, but shall not include:
(A) a captive insurance company;
(B) a purchasing group or risk retention group chartered; or
(C) a licensee domiciled in a jurisdiction other than this State that is acting as an assuming insurer for a licensee domiciled in this State.
(8) “Multi-factor authentication” means authentication through verification of at least two of the following types of authentication factors:
(A) a knowledge factor, such as a password;
(B) a possession factor, such as a token or text message on a mobile phone; or
(C) an inherence factor, such as a biometric characteristic.
(9) “Nonpublic information” means information that is not publicly available information and is:
(A) business-related information of a licensee, the tampering with which or unauthorized disclosure, access, or use of which would cause a material adverse impact to the business, operations, or security of the licensee;
(B) information concerning a consumer that, because of name, number, personal mark, or other identifier, can be used to identify such consumer, in combination with any one or more of the following data elements:
(i) Social Security number;
(ii) driver’s license number or nondriver identification card number;
(iii) individual taxpayer identification number;
(iv) passport number;
(v) military identification card number;
(vi) financial account number or credit or debit card number;
(vii) security code, access code, or password that would permit access to a consumer’s financial account; or
(viii) biometric record;
(C) information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer, that relates to:
(i) the past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer’s family;
(ii) the provision of health care to any consumer; or
(iii) payment for the provision of health care to any consumer.
(10)(A) “Publicly available information” means information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law.
(B) As used in this subdivision, a licensee has a “reasonable basis to believe” that information is lawfully made available to the general public if the licensee has taken steps to determine:
(i) that the information is of the type that is available to the general public; and
(ii) whether a consumer can direct that the information not be made available to the general public and, if so, that the consumer has not done so.
(11) “Risk assessment” means the risk assessment that each licensee is required to conduct under subdivision (d)(3) of this section.
(12) “Third-party service provider” means a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, or store nonpublic information or is otherwise permitted access to nonpublic information through its provision of services to the licensee.
(d) Information security program.
(1) Commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee’s possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program that is based on the licensee’s risk assessment and contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system.
(2) A licensee’s information security program shall be designed to:
(A) protect the security and confidentiality of nonpublic information and the security of the information system;
(B) protect against any threats or hazards to the security or integrity of nonpublic information and the information system;
(C) protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to any consumer; and
(D) define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.
(3) The licensee shall:
(A) designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee to be responsible for the information security program;
(B) identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to or held by third-party service providers;
(C) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the nonpublic information;
(D) assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee’s operations, including:
(i) employee training and management;
(ii) information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and
(iii) detecting, preventing, and responding to attacks, intrusions, or other systems failures; and
(E) implement information safeguards to manage the threats identified in its ongoing assessment and, not less than annually, assess the effectiveness of the safeguards’ key controls, systems, and procedures.
(4) Based on its risk assessment, the licensee shall:
(A) Design its information security program to mitigate the identified risks, commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee’s possession, custody, or control.
(B) Determine which security measures listed below are appropriate and implement such security measures:
(i) place access controls on information systems, including controls to authenticate and permit access only to authorized persons to protect against the unauthorized acquisition of nonpublic information;
(ii) identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization’s risk strategy;
(iii) restrict physical access to nonpublic information to authorized persons only;
(iv) protect by encryption or other appropriate means all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media;
(v) adopt secure development practices for in-house developed applications utilized by the licensee and procedures for evaluating, assessing, or testing the security of externally developed applications utilized by the licensee;
(vi) modify the information system in accordance with the licensee’s information security program;
(vii) utilize effective controls, which may include multi-factor authentication procedures, for any individual accessing nonpublic information;
(viii) regularly test and monitor systems and procedures to detect actual and attempted attacks on or intrusions into information systems;
(ix) include audit trails within the information security program designed to detect and respond to cybersecurity events and reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee;
(x) implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures; and
(xi) develop, implement, and maintain procedures for the secure disposal of nonpublic information in any format.
(C) Include cybersecurity risks in the licensee’s enterprise risk management process.
(D) Stay informed regarding emerging threats and vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared.
(E) Provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment.
(5)(A) If the licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum:
(i) require the licensee’s executive management or its delegates to develop, implement, and maintain the licensee’s information security program;
(ii) require the licensee’s executive management or its delegates to report in writing at least annually the following information:
(I) the overall status of the information security program and the licensee’s compliance with this section; and
(II) material matters related to the information security program, addressing issues such as risk assessment; risk management and control decisions; third-party service provider arrangements; results of testing, cybersecurity events, or violations and management’s responses thereto; and recommendations for changes in the information security program.
(B) If executive management delegates any of its responsibilities under subsection (d) of this section, it shall oversee the development, implementation, and maintenance of the licensee’s information security program prepared by the delegate or delegates and shall receive a report from the delegate or delegates complying with the requirements of the report to the board of directors.
(6)(A) A licensee shall exercise due diligence in selecting its third-party service provider.
(B) A licensee shall require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to or held by the third-party service provider.
(7) A licensee shall monitor, evaluate, and adjust, as appropriate, the information security program consistent with any relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to information, and the licensee’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.
(8)(A) As part of its information security program, a licensee shall establish a written incident response plan designed to promptly respond to and recover from any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession; the licensee’s information systems; or the continuing functionality of any aspect of the licensee’s business or operations.
(B) The incident response plan shall address the following areas:
(i) the internal process for responding to a cybersecurity event;
(ii) the goals of the incident response plan;
(iii) the definition of clear roles, responsibilities, and levels of decision-making authority;
(iv) external and internal communications and information sharing;
(v) identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
(vi) documentation and reporting regarding cybersecurity events and related incident response activities; and
(vii) the evaluation and revision as necessary of the incident response plan following a cybersecurity event.
(9) Annually, each insurer domiciled in this State shall submit to the Commissioner a written statement on or before April 15, certifying that the insurer is compliant with the requirements established in this subsection. Each insurer shall maintain for examination by the Commissioner all records, schedules, and data supporting this certificate for a period of five years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation shall be available for inspection by the Commissioner.
(e) Investigation of a cybersecurity event.
(1) If the licensee learns that a cybersecurity event has or may have occurred, the licensee or an outside vendor or service provider, or both, designated to act on behalf of the licensee shall conduct a prompt investigation.
(2) During the investigation, the licensee or an outside vendor or service provider, or both, designated to act on behalf of the licensee shall, at a minimum, make the best effort to:
(A) determine whether a cybersecurity event has occurred;
(B) assess the nature and scope of the cybersecurity event;
(C) identify any nonpublic information that may have been involved in the cybersecurity event; and
(D) perform or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event in order to prevent further unauthorized acquisition, release, or use of nonpublic information in the licensee’s possession, custody, or control.
(3) The licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the Commissioner.
(f) Power of Commissioner.
(1) The Commissioner shall have power to examine and investigate into the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of this section. This power is in addition to the powers the Commissioner has under section 4726 of this title and 9 V.S.A. § 2435(h)(2). Any such investigation or examination shall be conducted pursuant to section 4726 of this title.
(2) Whenever the Commissioner has reason to believe that a licensee has been or is engaged in conduct in this State that violates this section, the Commissioner may take action that is necessary or appropriate to enforce the provisions of this section.
(g) Confidentiality.
(1) Any documents, materials or other information in the control or possession of the Commissioner that are furnished by a licensee or an employee or agent thereof acting on behalf of the licensee pursuant to subdivision (d)(8) of this section, or that are obtained by the Commissioner in an investigation or examination pursuant to subsection (f) of this section, shall be confidential by law and privileged, shall not be subject to 1 V.S.A. §§ 315–320, shall not be subject to subpoena, and shall not be subject to discovery or admissible in evidence in any private civil action. However, the Commissioner is authorized to use the documents, materials, or other information in the furtherance of any regulatory or legal action brought as a part of the Commissioner’s duties.
(2) Neither the Commissioner nor any person who received documents, materials, or other information while acting under the authority of the Commissioner shall be permitted or required to testify in any private civil action concerning any confidential documents, materials, or information subject to subdivision (1) of this subsection.
(3) To assist in the performance of the Commissioner’s duties under this section, the Commissioner may:
(A) share documents, materials, or other information, including confidential and privileged documents, materials, or information subject to subdivision (1) of this subsection, with other state, federal, and international regulatory agencies, the National Association of Insurance Commissioners, its affiliates or subsidiaries, and state, federal, and international law enforcement authorities, provided that the recipient agrees in writing to maintain the confidentiality and privileged status of the document, material, or other information shared;
(B) receive documents, materials, or information, including otherwise confidential and privileged documents, materials, or information, from the National Association of Insurance Commissioners, its affiliates or subsidiaries, and from regulatory and law enforcement officials of other foreign or domestic jurisdictions, and shall maintain as confidential or privileged any document, material, or information received with notice or the understanding that it is confidential or privileged under the laws of the jurisdiction that is the source of the document, material, or information;
(C) share documents, materials, or other information subject to subdivision (1) of this subsection with a third-party consultant or vendor, provided that the consultant agrees in writing to maintain the confidentiality and privileged status of the document, material, or other information shared; and
(D) enter into agreements governing the sharing and use of information consistent with this subsection.
(4) No waiver of any applicable privilege or claim of confidentiality in any document, material, or information shall occur as a result of its disclosure to the Commissioner under this section or as a result of sharing as authorized in subdivision (3) of this subsection.
(5) Nothing in this section shall prohibit the Commissioner from releasing final adjudicated actions that are open to public inspection pursuant to 1 V.S.A. §§ 315–320 to a database or other clearinghouse service maintained by the National Association of Insurance Commissioners or its affiliates or subsidiaries.
(h) Exceptions.
(1) The following exceptions apply to this section:
(A) A licensee with fewer than 20 employees, including any independent contractors, is exempt from subsection (d) of this section.
(B) A licensee that is in possession of protected health information subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104–191, 110 Stat. 1936, that has established and maintains an information security program pursuant to such statutes and the rules, regulations, procedures, or guidelines established under HIPAA, is considered to meet the requirements of subsection (d) of this section, provided that the licensee is compliant with, and annually submits a written statement to, the Commissioner certifying its compliance with such program. As used in this section, the definition of “protected health information” is as set forth in HIPAA and the regulations promulgated under HIPAA and shall be considered to be a subset of nonpublic information.
(C) An employee, agent, representative, or designee of a licensee, who is also a licensee, is exempt from subsection (d) of this section and need not develop its own information security program to the extent that the employee, agent, representative, or designee is covered by the information security program of the other licensee.
(D) A licensee that is affiliated with a financial institution, as defined in subdivision 11101(32) of this title, or a credit union, as defined in subdivision 30101(5) of this title, that has established and maintains an information security program in compliance with the interagency guidelines establishing standards for safeguarding customer information as set forth in section 501(b) of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., is considered to meet the requirements of subsection (d) of this section, provided that the licensee produces, upon request, documentation satisfactory to the Commissioner that independently validates the affiliated financial institution’s or credit union’s adoption of an information security program that satisfies the interagency guidelines.
(2) In the event that a licensee ceases to qualify for an exception, such licensee shall have 180 days to comply with this section.
(i) Penalties. In the case of a violation of this section, a licensee may be penalized in accordance with section 3661 or 4726 of this title, as appropriate.
(j) Effective date. This section shall take effect on January 1, 2023. A licensee shall have one year from the effective date of this section to implement subsection (d) of this section, other than subdivision (d)(6) of this section. A licensee shall have two years from the effective date of this section to implement subdivision (d)(6) of this section. (Added 2021, No. 139 (Adj. Sess.), § 20, eff. May 27, 2022; amended 2023, No. 32, § 2, eff. July 1, 2023.)
§§ 4729-4738. Repealed. 1973, No. 216 (Adj. Sess.), § 7, eff. May 1, 1974.