Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

NAIC Adopts Insurance Data Security Model Law

Share

The National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (“Model Law”) in October 2017.  The purpose of the Model Law is to establish standards for data security and the investigation of and notification to the Insurance Commissioner of a Cybersecurity Event[1], but is not intended to create a private right of action.

The Model Law is based largely on the New York Department of Financial Services’ Cybersecurity Regulations, 23 NYCRR 500 (“NYDFS Cyber Regulations”), which took effect on March 1, 2017. [2]  In fact, a drafting note to the Model Law indicates that compliance with the NYDFS Cyber Regulations is intended to constitute compliance with the Model Law.

As with the NYDFS Cyber Regulations, the Model Law requires:

  • Creation of a comprehensive Information Security Program based on a risk assessment that identifies risks to the business, including its use of Third-Party Service Providers, and determination of which security measures are appropriate to implement;
  • Designation of an individual to oversee the Information Security Program;
  • Oversight by the Board of Directors;
  • Oversight of Third-Party Service Provider agreements;
  • Establishment of an incident response plan;
  • Investigation and notification of Cybersecurity Events within 72 hours from a determination that a reportable Cybersecurity Event has occurred; and
  • Providing an annual certification of compliance to the Insurance Commissioner by February 15 of each year (note, unlike the NYDFS Cyber Regulations, which require an annual certification from every Covered Entity, the Model Law only requires domestic insurers to provide the annual certification).

There are several exemptions from compliance with the Model Law.  Licensees with fewer than ten employees and Licensees who are subject to the Health Insurance Portability and Accountability Act and maintain an Information Security Program pursuant to that law (a written statement of compliance is required) are exempt.  A Licensee who is an employee, agent, representative or designee of another Licensee, may be covered by the other Licensee’s Information Security Program.  Additionally, foreign purchasing groups and risk retention groups and foreign or alien assuming insurers are excluded from the definition of a “Licensee.”

The consistency between the NYDFS Cyber Regulations and the Model Law ease concerns regarding the challenges associated with complying with a patchwork of laws.  As a model law, states must now enact it into law for it to become enforceable.  During the recent NAIC Fall National Meeting, the Cybersecurity (EX) Working Group, which drafted the Model Law, reminded states that the Treasury Department’s October 2017 report on the asset management and insurance industries included a recommendation that if states fail to enact uniform cybersecurity laws within five years, then Congress should enact a national insurance cybersecurity law.  This reminder was meant to prompt swift action by states to adopt the Model Law.

[1] “Cybersecurity Event” is defined broadly under the Model Law as “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.” Exclusions include: (i) “the unauthorized acquisition of Encrypted Nonpublic Information if the encryption, process or key is not also acquired, released or used without authorization”; and (ii) “an event with regard to which the Licensee has determined that the Nonpublic Information accessed by an unauthorized person has not been used or released and has been returned or destroyed.”

[2] See DBR on Data Fact Sheet: NYDFS Cyber Regulations

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

December 14, 2017
Written by: Discerning Data Editorial Board
Category: Cybersecurity, Financial Services
Tags: Insurance, NAIC, NYDFS

Post navigation

Previous Previous post: Protecting Students’ Online Privacy: An FTC & ED Joint Workshop on EdTech
Next Next post: DOJ Settlement with Netcracker Technology Corporation Highlights Cybersecurity and Export Control Best Practices for Government Contractors and Information Technology Companies

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT