Maine and North Dakota recently adopted the National Association of Insurance Commissioners (NAIC) data security model law. They join at least 11 others states who have already adopted the model law.  The model law applies to insurers, insurance agents and other entities licensed by the state department of insurance.

As we wrote about in our insurance certifications round-up, among other requirements, the model law requires organizations subject to the law to have:

• A comprehensive written information security program commensurate with the company’s size and complexity
• A written incident response plan
• Employee training
• Appropriate oversight by the company’s board of directors

Neither law will take effect right away. Maine’s Model Law is not effective until January 1, 2022, with one section regarding compliance with third-party service provider arrangements effective January 1, 2023. The North Dakota law takes effect later, on August 1, 2022, with one section regarding the obligation to document and report cybersecurity events and related incident response activities effective August 1, 2023.

Putting it Into Practice: We anticipate more states will continue to adopt the NAIC model security law. Those in the insurance field should keep these security obligations in mind when assessing the sufficiency of their practices.