‘Tis the Season . . . for Insurance Model Laws: NAIC Tackles Data Security

They seem to come earlier every year, don’t they? Grab your seasonally spiced latte and huddle around the bonfire to read the final version of the Insurance Data Security Model Law (Data Security Model) adopted by the National Association of Insurance Commissioners (NAIC). At an October 24 joint meeting of the Executive Committee and Plenary, the NAIC adopted the Data Security Model after over a year and a half of deliberation and interaction with trade groups. NAIC President and Wisconsin Insurance Commissioner Ted Nickel explained the importance of efforts to create this model to help protect consumers amid today’s evolving cyber threat landscape. The motion to adopt the Data Security Model passed almost unanimously, with Utah providing the only “no” vote.

What Does the Data Security Model Do and to Whom Does It Apply?

The Data Security Model closely parallels the recently issued New York Department of Financial Services Cybersecurity Regulation, which many insurance companies know well. The NAIC Data Security Model contains several key components that insurance entities should keep in mind:

• Broad applicability: The Data Security Model applies to all “Licensees.” A Licensee is “any Person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of [a] State but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than [that] State or a Licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.” 
• Establishment of risk-based standards for data security: A Licensee is required to develop, implement and maintain a comprehensive written Information Security Program. A Licensee shall design its Information Security Program based on its Risk Assessment. The program should be designed to mitigate the identified risks, commensurate with the size and complexity of the Licensee’s activities, including its use of Third-Party Service Providers, and the sensitivity of the Nonpublic Information used by the Licensee or in the Licensee’s possession, custody or control.
• Notice requirements of Cybersecurity Event (to Commissioner(s)): A Licensee must notify the Commissioner of its state of domicile (if an insurer) or its home state (in the case of a producer) within 72 hours of a determination that a Cybersecurity Event has occurred. If certain other criteria are met, the Licensee may be required to notify Commissioners of other states. 
• Notice requirements of Cybersecurity Event (to consumers): A Licensee shall comply with its state’s data breach notification law, as applicable. (There are now 48 states, plus territories and the District of Columbia, that have such notification laws). 
• Oversight of Board of Directors: A Licensee’s Board of Directors (or a committee thereof) must require that a Licensee’s executive management (or its delegates) develop, implement and maintain the company’s Information Security Program. A Licensee’s Board of Directors (or a committee thereof) must require that the company’s executive management (or its delegates) report annually in writing about the status of the Information Security Program and its compliance with the Data Security Model and other material matters related to the Information Security Program. 
• Timing: The Data Security Model provides for a 180-day phase-in of the requirements. It will be up to the states to determine the appropriate timeframes for compliance. 

What Comes Next?

As noted by several regulators on the Executive and Plenary call, several states plan to include a version of the Data Security Model in their upcoming legislative packages. Commissioner and NAIC Officer Farmer of South Carolina encouraged other states to do the same. Commissioner Farmer also noted that he would support an effort to make the adoption of the Data Security Model an Accreditation Standard. The process to include a model act in the Accreditation Standards goes through the Financial Regulation Standards and Accreditation (F) Committee and takes a few years. It bears noting that many of the principles outlined in the Data Security Model are gaining wider acceptability as “best practices” to prevent, respond to and mitigate cyber threats domestically and internationally. 

States have extra motivation to adopt the Data Security Model or a similar law following the October 27 release of the U.S. Department of the Treasury report on Asset Management and Insurance. The report includes recommendations to the states to adopt uniform data security and breach notification legislation, and a recommendation to Congress to step in with legislation if a state legislative effort fails (although still leaving supervision and enforcement to the states).

We will closely follow any action at the state level and monitor further cyber-related developments that may impact insurance entities across the country.