December 18, 2018

December 18, 2018

Subscribe to Latest Legal News and Analysis

December 17, 2018

Subscribe to Latest Legal News and Analysis

NAIC Adopts Insurance Data Security Model Law

On October 24, 2017, during a joint meeting of the National Association of Insurance Commissioners (NAIC) Executive (EX) Committee and Plenary, the NAIC officially adopted the Insurance Data Security Model Law (Model Law) to establish standards for data security and the investigation of and notification requirements following a cybersecurity event.

Previously, the Model Law had advanced through the NAIC Innovation and Technology Task Force and the Cybersecurity Working Group during the NAIC's 2017 Summer National Meeting on August 7.


The Model Law establishes model rules for insurers, agents, and other entities regulated by state insurance departments (each, a “Licensee,” as defined in the Model Law) for

  • developing, implementing, and maintaining a comprehensive written information security program based on ongoing risk assessments and that contains administrative, technical, and physical safeguards for the protection of personal data;

  • overseeing third-party service providers and requiring that such providers implement the requisite measures to protect and secure personal data accessible to, or held by, such providers;

  • setting guidelines for boards of directors or their committees, as applicable to the Licensee, to direct executives to develop, implement, maintain, and report on the information security program;

  • establishing incident response plans for responding to, and recovering from, any cybersecurity event; and

  • investigating data breaches and notifying the requisite regulators and authorities and those parties affected by a cybersecurity event.

The Model Law closely follows New York’s cybersecurity regulation, which passed in March and took effect on August 28 (see the press release and summary of the New York regulation). In a drafting note from the NAIC’s August 7 working draft of the Model Law, the drafters explicitly note that any Licensee that is compliant with the New York regulation would also be compliant with the Model Law.

With the Model Law’s adoption by the NAIC, it is now available for consideration and adoption by individual states.

Copyright © 2018 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author

Rahul Kapoor, Intellectual property lawyer, Morgan Lewis

With a focus on commercial, intellectual property (IP), and technology transactions, Rahul Kapoor counsels clients on strategic alliances, joint ventures, and corporate partnering transactions in the technology and life science industries. He also handles standards body licensing structures, patent licensing, open source software strategy, e-commerce and privacy, supply and distribution agreements, consignment agreements, spinoffs and core technology licenses, and IT outsourcing transactions. Rahul is a member of the firm’s Advisory Board, leader of the India initiative...

Valerie A. Gross, Business Technology Attorney, Morgan Lewis

Valerie A. Gross focuses her practice on business technology transactions, including technology and business process outsourcing; systems integration; commercial agreements, including professional services and consulting agreements; and licensing and other technology-related agreements.