NAIC Insurance Data Security Model Law (MDL-668) Update

Faegre Drinker Biddle & Reath LLP
Contact

Faegre Drinker Biddle & Reath LLP

The NAIC Data Security Model Law (Model 668) continues its journey through the various state legislatures. Whether all 50 states meet the U.S. Treasury-recommended 2022 deadline for adoption of uniform data security regulations for the industry remains to be seen.1 Currently, as set forth in the chart below, 18 states have adopted Model 668.

State

Effective Date

Compliance Date for ISP Requirements

Compliance Date for 3rd-Party Service Provider Program Requirements

Alabama

5/1/2019

5/1/2020

5/1/2021

Connecticut

10/1/2019

4/19/2021

10/1/2021

Delaware

7/31/2019

7/31/2020

7/31/2021

Hawaii

7/1/2021

7/1/2022

7/1/2023

Indiana

6/30/2021

6/30/2021

--

Iowa

1/1/2022

1/1/2023

1/1/2024

Louisiana

8/1/2020

8/1/2021

8/1/2022

Maine

1/1/2022

1/1/2022

1/1/2023

Michigan

1/20/2021

1/20/2022

1/20/2023

Minnesota

8/1/2021

8/1/2022

8/1/2023

Mississippi

7/1/2019

7/1/2020

7/1/2021

New Hampshire

1/1/2020

1/1/2021

1/1/2022

North Dakota

3/23/2021

8/1/2022

8/1/2023

Ohio

3/20/2019

3/20/2020

3/20/2021

South Carolina

1/1/2019

7/1/2019

7/1/2020

Tennessee

7/1/2021

7/1/2022

7/1/2023

Virginia

7/1/2020

7/1/2022

7/1/2022

Wisconsin

11/1/2021

11/1/2022

11/1/2023

Idaho, Illinois and Rhode Island have, so far, failed in their efforts to adopt Model 668.

While the adopting states have largely followed the provisions of Model 668, insurance licensees must take note of individual state variations. For example, the deadline to report cybersecurity events to the commissioner varies from state to state. While the requirement is usually three business days in most states, it is 72 hours in South Carolina, five business days in Minnesota and 10 business days in Michigan.

Another variation is whether a state’s version establishes that the law is the “exclusive standard” applicable to licensees for data security, investigation and notification to the commissioner of a cybersecurity event. Most states have adopted an exclusive standard provision, however, Connecticut and South Carolina have not. It is notable that Model 668 also does not provide for an exclusive standard.

Given the activities of the NAIC Privacy Protections Group, which is now focused on updating NAIC Model, 672 Privacy of Consumer Financial and Health Information Regulation, it is possible that future amendments to Model 668 will be required to align the Models. We will continue to monitor and report on these issues as developments arise.

FOOTNOTES

  1. See A Financial System That Creates Economic Opportunities, Asset Management and Insurance, U.S. Department of the Treasury (November 15, 2017), pp. 115-117; available here (Accessed 7/26/2021).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Drinker Biddle & Reath LLP | Attorney Advertising

Written by:

Faegre Drinker Biddle & Reath LLP
Contact
more
less

Faegre Drinker Biddle & Reath LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.