Vermont Governor Scott signed the Vermont Insurance Data Security Law (available here) (the “VIDSL”), becoming the 22nd state to adopt a cybersecurity statute based on the National Association of Insurance Commissioners Insurance Data Security Model Law (NAIC Model 668). Importantly for many licensees, the new Vermont statute, which will be effective January 1, 2023 (with some delayed compliance dates) codifies a drafters’ note of NAIC Model 668 (which has not been adopted in all state implementations) stating that compliance with the Cybersecurity Regulation of the New York Department of Financial Service, with a written certification of such compliance, is deemed to satisfy the requirements of the VIDSL.

There are some differences between the VIDSL and NAIC Model 668, the most important of which is the lack of a Vermont requirement to report certain cybersecurity events to the commissioner. Instead, the VIDSL specifically provides that it “shall not be construed to change any aspect of the Security Breach Notice Act, 9 V.S.A. § 2435,” which requires entities regulated by the Department of Financial Regulation to provide notice of certain cybersecurity events to the Department, but without the 72 hour deadline of NAIC Model 668.

For those keeping track, NAIC Model 668 has been adopted in the following 22 states as of June 21, 2022: AL, AK, CT, DE, HI, IN, IA, KY, LA, ME, MD, MI, MN, MS, NH, ND, OH, SC, TN, VT, VA, and WI.