September 21, 2021

Volume XI, Number 264


September 20, 2021

Subscribe to Latest Legal News and Analysis

Two Other States Adopt Model Data Security Law for Insurance Industry

Maine and North Dakota recently adopted the National Association of Insurance Commissioners (NAIC) data security model law. They join at least 11 others states who have already adopted the model law.  The model law applies to insurers, insurance agents and other entities licensed by the state department of insurance.

As we wrote about in our insurance certifications round-up, among other requirements, the model law requires organizations subject to the law to have:

  • A comprehensive written information security program commensurate with the company’s size and complexity
  • A written incident response plan
  • Employee training
  • Appropriate oversight by the company’s board of directors

Neither law will take effect right away. Maine’s Model Law is not effective until January 1, 2022, with one section regarding compliance with third-party service provider arrangements effective January 1, 2023. The North Dakota law takes effect later, on August 1, 2022, with one section regarding the obligation to document and report cybersecurity events and related incident response activities effective August 1, 2023.

Putting it Into Practice: We anticipate more states will continue to adopt the NAIC model security law. Those in the insurance field should keep these security obligations in mind when assessing the sufficiency of their practices.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 109

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...