In April, Kentucky (HB 474) and Maryland (SB 207) adopted insurance data security legislation based on the National Association of Insurance Commissioners (NAIC) model law. A total of 15 states have adopted the NAIC Model Law. We previously discussed the requirements of the model law in our insurance certifications round-up, including its recent adoption by other states. Among other things, the model law further calls for insurers to quickly report and investigate data breaches and certify their compliance efforts annually with security provisions. 

Maryland’s law takes effect on October 1, 2022 and Kentucky’s law goes into effect on January 1, 2023. Both states have a one-year grace period with respect to the requirement to establish a written information security program and a two-year grace period for compliance with relevant service provider oversight requirements.

Putting it Into Practice:  As more states look to adopt the model law, insurers should evaluate their in-house security programs, and monitor developments in states that have yet to pass similar laws.