January 19, 2020

January 17, 2020

Subscribe to Latest Legal News and Analysis

January 16, 2020

Subscribe to Latest Legal News and Analysis

NAIC Adopts Insurance Data Security Model Law

The National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (“Model Law”) in October 2017.  The purpose of the Model Law is to establish standards for data security and the investigation of and notification to the Insurance Commissioner of a Cybersecurity Event[1], but is not intended to create a private right of action.

The Model Law is based largely on the New York Department of Financial Services’ Cybersecurity Regulations, 23 NYCRR 500 (“NYDFS Cyber Regulations”), which took effect on March 1, 2017. [2]  In fact, a drafting note to the Model Law indicates that compliance with the NYDFS Cyber Regulations is intended to constitute compliance with the Model Law.

As with the NYDFS Cyber Regulations, the Model Law requires:

  • Creation of a comprehensive Information Security Program based on a risk assessment that identifies risks to the business, including its use of Third-Party Service Providers, and determination of which security measures are appropriate to implement;
  • Designation of an individual to oversee the Information Security Program;
  • Oversight by the Board of Directors;
  • Oversight of Third-Party Service Provider agreements;
  • Establishment of an incident response plan;
  • Investigation and notification of Cybersecurity Events within 72 hours from a determination that a reportable Cybersecurity Event has occurred; and
  • Providing an annual certification of compliance to the Insurance Commissioner by February 15 of each year (note, unlike the NYDFS Cyber Regulations, which require an annual certification from every Covered Entity, the Model Law only requires domestic insurers to provide the annual certification).

There are several exemptions from compliance with the Model Law.  Licensees with fewer than ten employees and Licensees who are subject to the Health Insurance Portability and Accountability Act and maintain an Information Security Program pursuant to that law (a written statement of compliance is required) are exempt.  A Licensee who is an employee, agent, representative or designee of another Licensee, may be covered by the other Licensee’s Information Security Program.  Additionally, foreign purchasing groups and risk retention groups and foreign or alien assuming insurers are excluded from the definition of a “Licensee.”

The consistency between the NYDFS Cyber Regulations and the Model Law ease concerns regarding the challenges associated with complying with a patchwork of laws.  As a model law, states must now enact it into law for it to become enforceable.  During the recent NAIC Fall National Meeting, the Cybersecurity (EX) Working Group, which drafted the Model Law, reminded states that the Treasury Department’s October 2017 report on the asset management and insurance industries included a recommendation that if states fail to enact uniform cybersecurity laws within five years, then Congress should enact a national insurance cybersecurity law.  This reminder was meant to prompt swift action by states to adopt the Model Law.

[1] “Cybersecurity Event” is defined broadly under the Model Law as “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.” Exclusions include: (i) “the unauthorized acquisition of Encrypted Nonpublic Information if the encryption, process or key is not also acquired, released or used without authorization”; and (ii) “an event with regard to which the Licensee has determined that the Nonpublic Information accessed by an unauthorized person has not been used or released and has been returned or destroyed.”

[2] See DBR on Data Fact Sheet: NYDFS Cyber Regulations

©2020 Drinker Biddle & Reath LLP. All Rights Reserved


About this Author

Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...

Yuliya Feldman, Drinker Biddle Law Firm, Insurance Attorney

Yuliya Feldman assists clients with a wide range of insurance regulatory and transactional matters. She also assists with general corporate matters.

While in law school, Yuliya worked for approximately two years as a law clerk in the Law Department of SCOR Reinsurance Company, where she worked on a variety of projects involving corporate governance matters, regulatory matters, and commercial matters. In law school, she was also involved with the International Law Society, where she served as Treasurer.