National Association of Insurance Commissioners Adopts Insurance Data Security Model Law
On October 24, 2017, the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law. The NAIC is the U.S. standards-setting and regulatory support organization created and governed by the insurance regulators of all 50 states, the District of Columbia and five U.S. territories. The Model Law seeks to govern the data security and standards of insurers, insurance agents and brokers, and other entities regulated by state insurance departments. As the Model Law is intended to serve as model legislation only, states will need to enact it into law for it to become mandatory and enforceable against insurance licensees.
Key components of the Model Law include requirements for:
Implementation of a comprehensive written information security program based on ongoing risk assessments
Oversight of the information security program by the board of directors
Oversight of third-party service provider arrangements
Establishment of an incident response plan
Annual certification of compliance to state insurance departments
Investigation and notification of cybersecurity events, including a 72-hour regulatory notification deadline, specific information required in regulatory notifications and a requirement for reinsurers to notify insurers.
The Model Law closely tracks the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation 23 NYCRR Part 500. NYDFS Superintendent Maria Vullo confirmed that she and her staff worked closely with the NAIC in its development of the Model Law. In a Drafting Note defining the Purpose and Intent of the Model Law, the drafters explicitly state that compliance with the NYDFS Regulation is compliance with the Model Law.
The NAIC’s Model Law demonstrates the increased adoption of the NYDFS’s approach to data security and standards. Although the Model Law is more rigorous than most existing state laws, it may pave the way for more uniform, and therefore more predictable, state-by-state data security and regulatory breach notification laws and standards applicable to insurers and other regulated insurance entities.