[co-author: Rebecca Kocsis]
The National Association of Insurance Commissioner (NAIC)’s model data security law (“Model Law”) was recently adopted by Maine and North Dakota. This addition brings the total number to states that have joined the NAIC Model Law to 13. The Model Law, which we have covered previously here, was issued in 2017. Since its introduction, states have been strongly encouraged to adopt the law or similar security protections, if similar existing legislation is absent.
The Model Law requires insurance organizations to have a comprehensive, written security program that is appropriate to the insurer’s size and complexity, as well as a written incident response plan, employee training and oversight by the insurer’s board of directors, and oversight of third-party service providers through due diligence and security requirements. The Model Law further calls for insurers to quickly report and investigate data breaches and certify their compliance efforts annually with security provisions.
Maine’s adoption of the Model Law will not be effective until January 1, 2022. Further, in Maine, the third-party service provider arrangements requirements will not be effective until January 1, 2023. North Dakota’s adoption of the Model Law will take effect on August 1, 2022. For North Dakota, the requirements to report and document cybersecurity events and incident responses activities will not become effective until August 1, 2023.
As more states look to adopt the NAIC Model Law, insurers should evaluate their in-house security programs, and monitor developments in states that have yet to pass similar laws.