Catching up on the NAIC Data Security Model Law

In 2019, many of us were so consumed by preparations for the January 1, 2020, effectiveness of the CCPA that we may have lost track of activities concerning state enactment of the NAIC Insurance Data Security Model Law. To recap, in October 2017, the NAIC adopted its Insurance Data Security Model Law (MDL-668) and released it to the states for legislative consideration. Significantly resembling New York’s Cybersecurity Regulation (23 NYCRR 500), the purpose of the Model is to “establish standards for data security and standards for the investigation and notification to the Commissioner of a Cybersecurity Event applicable to Licensees.” Licensees include individuals and nongovernmental entities that are required to be authorized, registered or licensed pursuant to a state’s insurance laws.

Among its most significant provisions, the Model requires that all licensees develop, implement and maintain a comprehensive Information Security Program (ISP) that is based on an individual risk assessment and that is commensurate with the licensee’s size and complexity, the nature and scope of its activities, and the sensitivity of the nonpublic information used or in the licensee’s possession, custody or control. The program should address electronic and nonelectronic, nonpublic information. Nonpublic information covers information that is not publicly available and includes material business information of the licensee as well as specified personal, financial and health information concerning a consumer or a family member.

The Model requires oversight by the board of directors or an appropriate board committee, the designation of a responsible person for the ISP, and oversight and due diligence of all third-party service providers. A licensee must also monitor its program to adjust for changes in technology, establish a written incident response plan and annually certify to the commissioner that it is in compliance with the ISP requirements.

The Model includes specific requirements for investigation and notification to the commissioner in the case of a cybersecurity event. A cybersecurity event is defined as an event resulting in unauthorized access to, disruption of or misuse of an information system or information stored on such system. It does not include encrypted information where the key has not been acquired, released or used, or events where the licensee has determined that the nonpublic information has not been used or released and has been returned or destroyed. Notification is required within 72 hours from determining a cybersecurity event has occurred to the commissioner of the domicile or home state, as well as any other state where 250 or more impacted insureds reside if any of the following criteria are met: other federal/state laws require disclosure of the incident, or where material harm to a consumer in the state, or to the Licensee’s normal operations is reasonably likely. Notification to affected consumers is governed by the state general data breach notification laws with copies of such notices provided to the commissioner.

In October 2017, the U.S. Treasury recommended “prompt adoption” of the Model Law by the states and stated that if adoption and implementation has not occurred within five years, Congress should pass a law specifying requirements for insurer data security, but leave supervision and enforcement to state insurance regulators. (A Financial System That Creates Economic Opportunities – Asset Management and Insurance, U.S. Department of the Treasury, October 2017, p. 117).

So where is the NAIC Model today? To date, the law is live in eight states: Alabama, Connecticut, Delaware, Michigan, Mississippi, New Hampshire, Ohio and South Carolina.

Effective Dates for Compliance with State-Adopted Insurance Data Security Laws

In general, licensees are given one year from the effective date to implement an information security program, and two years to fully implement third-party service provider requirements of the Act.

Currently, eyes are on Indiana (HB 1372), Maine (LD 1995), Oklahoma (SB 1919), Virginia (HB 1334), and Wisconsin (AB 819), where legislation to adopt the Model is pending. Georgia has not released draft insurance data security legislation, but reportedly is discussing draft language.

In a related development, in January 2020, the New York Department of Financial Services published a Notice of Proposed Rule Making to amend the Cybersecurity Regulation Section 500.17 and Appendix A to change the Certification of Compliance annual due date from February 15 to April 15. The public comment period regarding the proposed amendment expires on March 9, 2020.

Faegre Drinker will continue to monitor these issues.