Catching up on the NAIC Data Security Model Law, Part 2

Faegre Drinker Biddle & Reath LLP

Faegre Drinker Biddle & Reath LLP

As insurers continue to grapple with a number of pressing issues — COVID-19 lockdown, an effective California Consumer Privacy Act, and the pending California Privacy Rights Act — many may have lost track of states’ actions regarding enactment of the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law (MDL-668) (the Model Law).

As we reported in February 2020, the NAIC adopted the Model Law to “establish standards for data security and standards for the investigation and notification to the Commissioner of a Cybersecurity Event applicable to Licensees.” As of February, eight states (Alabama, Connecticut, Delaware, Michigan, Mississippi, New Hampshire, Ohio and South Carolina) had adopted the Model Law in some form. Since then, three additional states (Indiana, Louisiana and Virginia) have adopted versions of the Model Law, bringing the total number of adopting states to eleven.

While it is important to know which states have adopted the Model Law, it is also crucial to understand what each state has adopted. As suggested above, not every state has adopted the Model as written, and many have taken different approaches with respect to important features of the law. For example, the Model Law requires an insurer to notify a Commissioner “within 72 hours from a determination that a cybersecurity event has occurred.” Alabama, by contrast, requires notice to the commissioner no later than three business days after the determination of a cybersecurity event. In Michigan, an insurer need only notify a commissioner within 10 days of determination of a cybersecurity event.

States have also taken significantly different approaches to which entities are exempt from the requirement to develop and implement an information security program. The Model Law includes a limited exemption for insurers that have already established an information security program pursuant to HIPAA. Other states, such as Mississippi, have extended the exemption to also include insurers affiliated with a depository institution that maintain an information security program in compliance with GLBA’s interagency guidance.

Individual state laws even differ in their definitions of terms. For example, Alabama limits nonpublic information to certain electronic information, while South Carolina (and the NAIC Model) omit any such reference.

Insurers should carefully review each state’s take on the Model Law, as understanding the differences is crucial to ensuring compliance.

Faegre Drinker will continue to monitor state adoption of the NAIC Model.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Drinker Biddle & Reath LLP | Attorney Advertising

Written by:

Faegre Drinker Biddle & Reath LLP

Faegre Drinker Biddle & Reath LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.