Most businesses in the insurance industry have one thing in common – they collect and maintain significant amounts of sensitive, nonpublic information including personal information. Not surprisingly, insurance-related businesses are a target of cyberattacks and a few have faced some of the largest data breaches reported to date. Beyond the headlines, however, small and mid-sized insurance companies face similar risks, and governments have stepped up their scrutiny of cybersecurity. Hearing the calls for legislation and regulation, the National Association of Insurance Commissioners (NAIC) adopted a Data Security Model Law with the goal of having it adopted in all states within a few years. So far, eight states (see below) have adopted a version of the Model Law and it looks like more are on the way.

What is the NAIC’s Data Security Model Law?

In an effort that largely began with establishing a task force in 2014, the NAIC adopted a Data Security Model Law in November 2017. The Model Law is intended to provide a benchmark for any cybersecurity program. The requirements in the Model Law track some familiar data security frameworks, such as the HIPAA Security Rule. It also has many similarities to the New York State Department of Financial Services (NYDFS) regulations (specifically the 23 NYCRR 500). Note that licensees are not subject to the Model Law unless the state where that licensee is licensed adopts a version of the Model Law. At that time, the licensee must comply with that law.

Who is Subject to the Model Law?

The Model Law generally applies to “Licensees,” defined as:

any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a Licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Licensees range from large insurance carriers to small independent adjusters. These include individuals providing insurance related services, firms such as agency and brokerage businesses, and insurance companies. Additionally, there may be business that require a license, but are not traditionally considered to be in the insurance business. Examples include car rental companies and travel agencies that offer insurance packages in connection with their primary business.

The Model Rule provides exceptions for certain licensees. For example, licensees with fewer than ten employees (including independent contractors) are exempt from the requirement to maintain an information security program. However, they remain subject to the other provisions in the Model Law, such as the requirement to provide notification in the case of certain cybersecurity events.

What are some of the requirements of the Model Law?
Continue Reading Licensed by Your State’s Insurance Commissioner? Comprehensive Data Security Requirements Are Headed Your Way

UPDATE: The changes to the Massachusetts data breach notification law described below are now in effect. Thus, if you have discovered a data incident involving the personal information of Massachusetts residents you will want to review these changes carefully – they are significant and the Commonwealth is intent on educating the public about them. Because