NAIC Insurance Data Security Model Law (MDL-668) Update
The NAIC Data Security Model Law (Model 668) continues its journey through the various state legislatures. Whether all 50 states meet the U.S. Treasury-recommended 2022 deadline for adoption of uniform data security regulations for the industry remains to be seen.1 Currently, as set forth in the chart below, 18 states have adopted Model 668.
State |
Effective Date |
Compliance Date for ISP Requirements |
Compliance Date for 3rd-Party Service Provider Program Requirements |
Alabama |
5/1/2019 |
5/1/2020 |
5/1/2021 |
Connecticut |
10/1/2019 |
4/19/2021 |
10/1/2021 |
Delaware |
7/31/2019 |
7/31/2020 |
7/31/2021 |
Hawaii |
7/1/2021 |
7/1/2022 |
7/1/2023 |
Indiana |
6/30/2021 |
6/30/2021 |
-- |
Iowa |
1/1/2022 |
1/1/2023 |
1/1/2024 |
Louisiana |
8/1/2020 |
8/1/2021 |
8/1/2022 |
Maine |
1/1/2022 |
1/1/2022 |
1/1/2023 |
Michigan |
1/20/2021 |
1/20/2022 |
1/20/2023 |
Minnesota |
8/1/2021 |
8/1/2022 |
8/1/2023 |
Mississippi |
7/1/2019 |
7/1/2020 |
7/1/2021 |
New Hampshire |
1/1/2020 |
1/1/2021 |
1/1/2022 |
North Dakota |
3/23/2021 |
8/1/2022 |
8/1/2023 |
Ohio |
3/20/2019 |
3/20/2020 |
3/20/2021 |
South Carolina |
1/1/2019 |
7/1/2019 |
7/1/2020 |
Tennessee |
7/1/2021 |
7/1/2022 |
7/1/2023 |
Virginia |
7/1/2020 |
7/1/2022 |
7/1/2022 |
Wisconsin |
11/1/2021 |
11/1/2022 |
11/1/2023 |
Idaho, Illinois and Rhode Island have, so far, failed in their efforts to adopt Model 668.
While the adopting states have largely followed the provisions of Model 668, insurance licensees must take note of individual state variations. For example, the deadline to report cybersecurity events to the commissioner varies from state to state. While the requirement is usually three business days in most states, it is 72 hours in South Carolina, five business days in Minnesota and 10 business days in Michigan.
Another variation is whether a state’s version establishes that the law is the “exclusive standard” applicable to licensees for data security, investigation and notification to the commissioner of a cybersecurity event. Most states have adopted an exclusive standard provision, however, Connecticut and South Carolina have not. It is notable that Model 668 also does not provide for an exclusive standard.
Given the activities of the NAIC Privacy Protections Group, which is now focused on updating NAIC Model, 672 Privacy of Consumer Financial and Health Information Regulation, it is possible that future amendments to Model 668 will be required to align the Models. We will continue to monitor and report on these issues as developments arise.
- See A Financial System That Creates Economic Opportunities, Asset Management and Insurance, U.S. Department of the Treasury (November 15, 2017), pp. 115-117; available here (Accessed 7/26/2021).
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.