Over the last several years, the National Association of Insurance Commissioners (“NAIC”) has developed the NAIC Insurance Data Security Model Law (“Model Law”) in response to several high-profile data breaches and growing concern among insurers and financial institutions about cyber and data security. The Model Law is meant to serve as a benchmark for states looking to adopt a cybersecurity regulatory program.
The Model Law requires insurers and insurance agencies licensed by a state insurance department (“licensees”) to develop, implement, and maintain a comprehensive written information security program, based on a risk assessment, to protect consumer nonpublic information and a licensee’s information system. The Model Law also generally requires licensees to investigate cybersecurity events, oversee third-party vendors and, under certain circumstances, notify the state insurance commissioner.
Most states already have laws in place impacting privacy, security, and breach notification standards, and many are considering taking the additional step to adopt their own version of the Model Law. Some states have already done so, while New York has developed its own cybersecurity law from the ground up.
The Model Law and state variants contain many important definitions, exceptions, and exclusions to key aspects, such as the meaning of licensee, the scope of applicability, and breach notification standards. Such nuance requires careful review by entities potentially subject to these laws. Licensees may be impacted by cyber and data security laws in any state in which they operate, but special attention should be paid to the applicable laws in a licensee’s state of domicile.
As a practical matter, many licensees often adopt the most stringent aspects of applicable laws into a single compliance program when faced with a multi-state and differentiated compliance burden. Individual states’ insurance departments may be able to provide additional information as well.
Source: Acuity Magazine, 2019 Issue 10
