Kentucky Governor Andy Beshear recently signed House Bill 474 to become the latest state to enact data insurance security legislation. The new law is modeled after the data security law of the National Association of  Insurance Commissioners (NAIC). Licensees with more than 50 employees who are authorized to operate, or are registered under the insurance laws of Kentucky, must comply with the new law. The law requires that licensees comply with data security provisions such as developing a written information security program, investigating and reporting cybersecurity events to the insurance commissioner within three days, and conducting risk assessments.

Although the law takes effect on January 1, 2023, licensees will have one year from its effective date of the law to implement many provisions of the law, including performing the risk assessment, establishing the written information security program, and designating an individual or vendor who is responsible for the information security program. The law also states the licensees have two years to design and implement a full information security program.

We previously wrote about the NAIC Model Law when Maine and North Dakota enacted similar laws. Our latest count is that now 21 states have enacted similar laws, some with slight variations as to notification periods, timelines, or definitions.