Faegre Drinker Biddle & Reath LLP, a Delaware limited liability partnership | This website contains attorney advertising.
August 03, 2021

NAIC Insurance Data Security Model Law (MDL-668) Update

The NAIC Data Security Model Law (Model 668) continues its journey through the various state legislatures. Whether all 50 states meet the U.S. Treasury-recommended 2022 deadline for adoption of uniform data security regulations for the industry remains to be seen.1 Currently, as set forth in the chart below, 18 states have adopted Model 668.

State

Effective Date

Compliance Date for ISP Requirements

Compliance Date for 3rd-Party Service Provider Program Requirements

Alabama

5/1/2019

5/1/2020

5/1/2021

Connecticut

10/1/2019

4/19/2021

10/1/2021

Delaware

7/31/2019

7/31/2020

7/31/2021

Hawaii

7/1/2021

7/1/2022

7/1/2023

Indiana

6/30/2021

6/30/2021

--

Iowa

1/1/2022

1/1/2023

1/1/2024

Louisiana

8/1/2020

8/1/2021

8/1/2022

Maine

1/1/2022

1/1/2022

1/1/2023

Michigan

1/20/2021

1/20/2022

1/20/2023

Minnesota

8/1/2021

8/1/2022

8/1/2023

Mississippi

7/1/2019

7/1/2020

7/1/2021

New Hampshire

1/1/2020

1/1/2021

1/1/2022

North Dakota

3/23/2021

8/1/2022

8/1/2023

Ohio

3/20/2019

3/20/2020

3/20/2021

South Carolina

1/1/2019

7/1/2019

7/1/2020

Tennessee

7/1/2021

7/1/2022

7/1/2023

Virginia

7/1/2020

7/1/2022

7/1/2022

Wisconsin

11/1/2021

11/1/2022

11/1/2023

 

Idaho, Illinois and Rhode Island have, so far, failed in their efforts to adopt Model 668.

While the adopting states have largely followed the provisions of Model 668, insurance licensees must take note of individual state variations. For example, the deadline to report cybersecurity events to the commissioner varies from state to state. While the requirement is usually three business days in most states, it is 72 hours in South Carolina, five business days in Minnesota and 10 business days in Michigan.

Another variation is whether a state’s version establishes that the law is the “exclusive standard” applicable to licensees for data security, investigation and notification to the commissioner of a cybersecurity event. Most states have adopted an exclusive standard provision, however, Connecticut and South Carolina have not. It is notable that Model 668 also does not provide for an exclusive standard.

Given the activities of the NAIC Privacy Protections Group, which is now focused on updating NAIC Model, 672 Privacy of Consumer Financial and Health Information Regulation, it is possible that future amendments to Model 668 will be required to align the Models. We will continue to monitor and report on these issues as developments arise.

  1. See A Financial System That Creates Economic Opportunities, Asset Management and Insurance, U.S. Department of the Treasury (November 15, 2017), pp. 115-117; available here (Accessed 7/26/2021).

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Related Industries