CONSUMER ALERT: Data Breach of Third-Party Vendor Used by Genworth
A third party vendor for Genworth Financial has disclosed a data breach that impacts the personal information of an estimated 2.7-million individuals – including about 8000 Delawareans. The compromised information may include agents, policyholders and beneficiaries’ data – including names, contact information , dates of birth, social security numbers and policy numbers. Consumers should be watchful and protect their data.
More information from Insurance Commissioner Trinidad Navarro:
This event triggers Delaware’s Insurance Data Security Act, which in addition to proactive data security measures and other requirements, mandates the following now occur:
- Investigation of a cybersecurity event and correction of compromised information systems
- Detailed reporting to the Insurance Commissioner
- Notification to consumers within 60 days, except in cases where federal law or law enforcement agencies require or request modified timelines
- Consumers must be provided credit monitoring services at no cost for a period of at least one year in addition to receiving information regarding freezing one’s credit
Insurance Commissioner Trinidad Navarro encouraged consumers to protect their identities and reassured residents that the breach will be investigated thoroughly. “I take any breach of personal information very seriously, and encourage consumers affected to utilize the identity and credit protection services offered. Our Market Conduct staff, likely alongside investigators across the country, will work to investigate the situation and assess if appropriate safeguards were in place for the handling of data.”
The department has received a relevant policyholder list, including consumers of long-term care, life insurance, and annuities lines, which investigators may use to check company compliance with the Act. Consumer service representatives may also use this information to help concerned agents, policyholders, and beneficiaries who contact the office.
This incident was a part of a significant cybersecurity attack involving the MOVEit file transfer system, with the breach likely occurring May 29-30 before a corrective action was implemented on June 2. The department has not at this time been notified of additional insurer or insured information being accessed as part of this breach.
The department worked with the General Assembly in 2019 to pass the Insurance Data Security Act and was one of the first states to implement the National Association of Insurance Commissioner’s model law. The law is an effort to fortify security measures and protect consumer data. It requires insurance companies and their vendors to follow certain data protection and breach protocols, including notification. The department may investigate violations of the Act and levy penalties accordingly.