March 23, 2018

March 23, 2018

Subscribe to Latest Legal News and Analysis

March 22, 2018

Subscribe to Latest Legal News and Analysis

March 21, 2018

Subscribe to Latest Legal News and Analysis

NAIC Adopts Insurance Data Security Model Law

On October 24, 2017, during a joint meeting of the National Association of Insurance Commissioners (NAIC) Executive (EX) Committee and Plenary, the NAIC officially adopted the Insurance Data Security Model Law (Model Law) to establish standards for data security and the investigation of and notification requirements following a cybersecurity event.

Previously, the Model Law had advanced through the NAIC Innovation and Technology Task Force and the Cybersecurity Working Group during the NAIC's 2017 Summer National Meeting on August 7.


The Model Law establishes model rules for insurers, agents, and other entities regulated by state insurance departments (each, a “Licensee,” as defined in the Model Law) for

  • developing, implementing, and maintaining a comprehensive written information security program based on ongoing risk assessments and that contains administrative, technical, and physical safeguards for the protection of personal data;

  • overseeing third-party service providers and requiring that such providers implement the requisite measures to protect and secure personal data accessible to, or held by, such providers;

  • setting guidelines for boards of directors or their committees, as applicable to the Licensee, to direct executives to develop, implement, maintain, and report on the information security program;

  • establishing incident response plans for responding to, and recovering from, any cybersecurity event; and

  • investigating data breaches and notifying the requisite regulators and authorities and those parties affected by a cybersecurity event.

The Model Law closely follows New York’s cybersecurity regulation, which passed in March and took effect on August 28 (see the press release and summary of the New York regulation). In a drafting note from the NAIC’s August 7 working draft of the Model Law, the drafters explicitly note that any Licensee that is compliant with the New York regulation would also be compliant with the Model Law.

With the Model Law’s adoption by the NAIC, it is now available for consideration and adoption by individual states.

Copyright © 2018 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author


Rahul Kapoor is a partner in Morgan Lewis's Business and Finance Practice, the firmwide hiring partner, and a member of the firm's Legal Personnel and Finance Committees. Mr. Kapoor has deep transactional experience in strategic alliances, joint ventures, corporate partnering transactions, standards body licensing structures, intellectual property strategic counseling, technology licensing, open source software strategy, electronic commerce and privacy, supply and distribution agreements, consignment agreements, spin-outs and core technology licenses, IT outsourcing...

Valerie A. Gross, Morgan Lewis, Technology Transactions Attorney, System Integration Lawyer

Valerie A. Gross focuses her practice on business technology transactions, including technology and business process outsourcing; systems integration; commercial agreements, including professional services and consulting agreements; and licensing and other technology-related agreements.