Cyber Incident Victim: Manhattan National Life Insurance Company

The incident involving Manhattan National Life Insurance Co. was part of a larger series of data breaches impacting numerous insurers and their third-party vendors, primarily centered around the exploitation of a vulnerability in the MOVEit file transfer service. This widespread cybersecurity event triggered reporting obligations under Delaware’s Insurance Data Security Act. The breach was publicly addressed by the Delaware Department of Insurance in a consumer alert initially issued on June 26, 2023, and subsequently updated on July 24, 2023, as more information was received from affected companies. The department confirmed that the personal data of more than 37,500 Delaware residents, who served as agents, policyholders, or beneficiaries of various insurers including Manhattan National Life Insurance Co., was potentially compromised.

The core of the incident stemmed from a third-party vendor's use of the MOVEit file transfer system, which was breached by an unauthorized actor. This system is commonly used to transfer large files containing sensitive data. The specific vulnerability exploited in the MOVEit software was not detailed in the provided information, but the event was significant enough to be categorized under the state's legal definition of a cybersecurity event. The breach did not directly target Manhattan National Life Insurance Co.'s own internal information systems but instead impacted data that was being managed or transferred on their behalf by an external vendor utilizing the compromised MOVEit application.

Following the discovery of the breach, the involved parties, including the insurers and their affected vendors, were required by law to initiate an investigation into the cybersecurity event. The mandate under the Insurance Data Security Act required a thorough investigation to understand the scope and cause of the breach and to correct any compromised information systems to prevent further unauthorized access. This investigative process was a critical first step in the response, aiming to ascertain the full extent of the data exposure and to identify the specific individuals whose information was accessed or acquired by the threat actor.

The Delaware Department of Insurance played a central role in coordinating the response and ensuring compliance with state law. Insurance Commissioner Trinidad Navarro publicly addressed the breach, emphasizing the seriousness with which the department viewed the compromise of personal information. The department's Market Conduct staff were tasked with investigating the situation, a effort that was expected to be conducted in collaboration with investigators from other states across the country. A key objective of this investigation was to assess whether appropriate data security safeguards and protocols had been in place for the handling of the consumer data that was ultimately exposed in the breach.

A primary legal requirement for the insurers, including Manhattan National Life Insurance Co., was to provide detailed reporting of the incident to the Delaware Insurance Commissioner. This reporting was mandated to provide transparency and to allow the regulatory body to oversee the response. Furthermore, the law strictly required that affected consumers be notified of the breach within 60 days of its discovery, unless a federal law or a request from a law enforcement agency necessitated a modified timeline for this notification. This ensured that impacted individuals were informed in a timely manner so they could take steps to protect themselves.

As part of the consumer notification process, the insurers were obligated to provide specific remedies to those affected. The Delaware Insurance Data Security Act mandated that all consumers whose data was compromised must be provided with credit monitoring services at no cost for a minimum period of one year. In addition to this service, the notifications were required to include information and instructions on how to freeze one's credit with the major credit bureaus. These measures were designed to mitigate the potential financial and identity fraud risks posed by the exposure of personal information.

The legal framework that governed this response, the Insurance Data Security Act, was passed by the Delaware General Assembly in 2019. Delaware was among the first states to implement this model law, which was developed by the National Association of Insurance Commissioners. The law was specifically designed to fortify data security measures within the insurance industry and to enhance the protection of consumer data. It establishes clear requirements for insurance licensees and their third-party vendors regarding data protection, breach investigation, and consumer notification protocols. The department retains the authority to investigate any violations of the Act and to levy penalties accordingly, providing a significant enforcement mechanism.

The overall impact of this incident was substantial, directly affecting tens of thousands of residents in Delaware alone. The compromised personal information, while not explicitly detailed in the source, typically includes highly sensitive data such as names, addresses, Social Security numbers, and medical or policy information in the context of an insurance company breach. The compromise of such data carries a high risk of identity theft and financial fraud for the affected individuals. The response actions were therefore focused on both containing the technical aspects of the breach and mitigating the downstream effects on consumers through the provision of credit monitoring and educational resources. The investigation by state authorities also sought to determine if any regulatory failures or lack of appropriate safeguards contributed to the event.