On October 24, 2017, during a joint meeting of the National Association of Insurance Commissioners (NAIC) Executive (EX) Committee and Plenary, the NAIC officially adopted the Insurance Data Security Model Law (Model Law) to establish standards for data security and the investigation of and notification requirements following a cybersecurity event.
Previously, the Model Law had advanced through the NAIC Innovation and Technology Task Force and the Cybersecurity Working Group during the NAIC's 2017 Summer National Meeting on August 7.
The Model Law establishes model rules for insurers, agents, and other entities regulated by state insurance departments (each, a “Licensee,” as defined in the Model Law) for
- developing, implementing, and maintaining a comprehensive written information security program based on ongoing risk assessments and that contains administrative, technical, and physical safeguards for the protection of personal data;
- overseeing third-party service providers and requiring that such providers implement the requisite measures to protect and secure personal data accessible to, or held by, such providers;
- setting guidelines for boards of directors or their committees, as applicable to the Licensee, to direct executives to develop, implement, maintain, and report on the information security program;
- establishing incident response plans for responding to, and recovering from, any cybersecurity event; and
- investigating data breaches and notifying the requisite regulators and authorities and those parties affected by a cybersecurity event.
The Model Law closely follows New York’s cybersecurity regulation, which passed in March and took effect on August 28. In a drafting note from the NAIC’s August 7 working draft of the Model Law, the drafters explicitly note that any Licensee that is compliant with the New York regulation would also be compliant with the Model Law.
With the Model Law’s adoption by the NAIC, it is now available for consideration and adoption by individual states.