Cyber Incident Victim: Texas Life Insurance Company

The incident involving Texas Life Insurance Company was part of a larger, widespread data security event impacting numerous insurers and their third-party vendors, specifically through the exploitation of a vulnerability in the MOVEit file transfer services system. This event triggered the provisions of Delaware’s Insurance Data Security Act, which mandates specific protocols for insurers operating within the state. The breach was publicly acknowledged by the Delaware Department of Insurance in a consumer alert initially issued on June 26, 2023, and subsequently updated on July 24, 2023, as more information was received from affected companies. The incident itself occurred on or around May 31, 2023, which aligns with the initial public disclosure of the MOVEit vulnerability by its developer, Progress Software.

The breach did not originate from a direct compromise of Texas Life Insurance Company's own internal systems but rather through its engagement with third-party vendors that utilized the MOVEit application for secure file transfers. These vendors, which were not named in the public alert, were compromised due to a vulnerability within the MOVEit software. This vulnerability was exploited by attackers to gain unauthorized access to the file transfer systems, thereby accessing data that was being stored or transmitted by these vendors on behalf of their clients, including Texas Life Insurance Company. The specific technical details of the attacker's methods were not elaborated upon in the state's consumer alert, but the event is consistently referred to as the "MOVEit data breach."

As a result of this third-party vendor compromise, the personal information of individuals associated with Texas Life Insurance Company was exposed. The Delaware Department of Insurance reported that more than 37,500 Delaware residents were impacted across all insurers named in their alert, which included Texas Life Insurance Company. The affected individuals included the company's agents, policyholders, and beneficiaries whose data was being handled by the compromised vendor. The exact nature of the personal data that was compromised was not specified in the available information, but such breaches typically involve sensitive personally identifiable information.

In accordance with the Delaware Insurance Data Security Act, which was passed in 2019 and implemented the National Association of Insurance Commissioners’ model law, specific response actions were mandated for Texas Life Insurance Company and the other affected insurers. The law requires a thorough investigation of the cybersecurity event and the correction of any compromised information systems. Furthermore, it mandates detailed reporting of the incident to the Delaware Insurance Commissioner. A critical requirement of the act is the notification to affected consumers. Insurers are obligated to provide this notification within 60 days of discovering the breach, unless federal law or a request from a law enforcement agency requires an altered timeline.

As part of the consumer notification and remediation effort, Texas Life Insurance Company was required to provide affected individuals with credit monitoring services at no cost for a minimum period of one year. The company was also obligated to provide these individuals with information and guidance on how to freeze their credit with the major credit bureaus as a protective measure against potential identity theft and fraud resulting from the exposure of their personal data. Delaware Insurance Commissioner Trinidad Navarro publicly encouraged all consumers impacted by the breach, including those of Texas Life Insurance Company, to take advantage of these offered services to protect their identities.

The regulatory response involved an investigation led by the Delaware Department of Insurance. Commissioner Navarro stated that the department's Market Conduct staff would be investigating the situation, likely in coordination with investigators from other states due to the multi-state nature of the incident. The focus of this investigation was to assess whether appropriate safeguards and data handling protocols, as required by the Insurance Data Security Act, were in place at the time of the breach. The department possesses the authority to investigate violations of the act and to levy penalties accordingly if it is determined that the involved companies or their vendors failed to comply with the law's data protection requirements. The final outcomes of these investigations and any potential penalties were not detailed in the initial consumer alert. The incident highlighted the risks associated with third-party vendor relationships and the reliance on commercial software for critical data transfer functions, leading to a significant compromise of consumer data across the insurance sector.