Catching up on the NAIC Data Security Model Law, Part 2
As insurers continue to grapple with a number of pressing issues — COVID-19 lockdown, an effective California Consumer Privacy Act, and the pending California Privacy Rights Act — many may have lost track of states’ actions regarding enactment of the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law (MDL-668) (the Model Law).
As we reported in February 2020, the NAIC adopted the Model Law to “establish standards for data security and standards for the investigation and notification to the Commissioner of a Cybersecurity Event applicable to Licensees.” As of February, eight states (Alabama, Connecticut, Delaware, Michigan, Mississippi, New Hampshire, Ohio and South Carolina) had adopted the Model Law in some form. Since then, three additional states (Indiana, Louisiana and Virginia) have adopted versions of the Model Law, bringing the total number of adopting states to eleven.
While it is important to know which states have adopted the Model Law, it is also crucial to understand what each state has adopted. As suggested above, not every state has adopted the Model as written, and many have taken different approaches with respect to important features of the law. For example, the Model Law requires an insurer to notify a Commissioner “within 72 hours from a determination that a cybersecurity event has occurred.” Alabama, by contrast, requires notice to the commissioner no later than three business days after the determination of a cybersecurity event. In Michigan, an insurer need only notify a commissioner within 10 days of determination of a cybersecurity event.
States have also taken significantly different approaches to which entities are exempt from the requirement to develop and implement an information security program. The Model Law includes a limited exemption for insurers that have already established an information security program pursuant to HIPAA. Other states, such as Mississippi, have extended the exemption to also include insurers affiliated with a depository institution that maintain an information security program in compliance with GLBA’s interagency guidance.
Individual state laws even differ in their definitions of terms. For example, Alabama limits nonpublic information to certain electronic information, while South Carolina (and the NAIC Model) omit any such reference.
Insurers should carefully review each state’s take on the Model Law, as understanding the differences is crucial to ensuring compliance.
Faegre Drinker will continue to monitor state adoption of the NAIC Model.