The National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (“Model Law”) in October 2017. The purpose of the Model Law is to establish standards for data security and the investigation of and notification to the Insurance Commissioner of a Cybersecurity Event[1], but is not intended to create a private right of action.
The Model Law is based largely on the New York Department of Financial Services’ Cybersecurity Regulations, 23 NYCRR 500 (“NYDFS Cyber Regulations”), which took effect on March 1, 2017. [2] In fact, a drafting note to the Model Law indicates that compliance with the NYDFS Cyber Regulations is intended to constitute compliance with the Model Law.
As with the NYDFS Cyber Regulations, the Model Law requires:
- Creation of a comprehensive Information Security Program based on a risk assessment that identifies risks to the business, including its use of Third-Party Service Providers, and determination of which security measures are appropriate to implement;
- Designation of an individual to oversee the Information Security Program;
- Oversight by the Board of Directors;
- Oversight of Third-Party Service Provider agreements;
- Establishment of an incident response plan;
- Investigation and notification of Cybersecurity Events within 72 hours from a determination that a reportable Cybersecurity Event has occurred; and
- Providing an annual certification of compliance to the Insurance Commissioner by February 15 of each year (note, unlike the NYDFS Cyber Regulations, which require an annual certification from every Covered Entity, the Model Law only requires domestic insurers to provide the annual certification).
There are several exemptions from compliance with the Model Law. Licensees with fewer than ten employees and Licensees who are subject to the Health Insurance Portability and Accountability Act and maintain an Information Security Program pursuant to that law (a written statement of compliance is required) are exempt. A Licensee who is an employee, agent, representative or designee of another Licensee, may be covered by the other Licensee’s Information Security Program. Additionally, foreign purchasing groups and risk retention groups and foreign or alien assuming insurers are excluded from the definition of a “Licensee.”
The consistency between the NYDFS Cyber Regulations and the Model Law ease concerns regarding the challenges associated with complying with a patchwork of laws. As a model law, states must now enact it into law for it to become enforceable. During the recent NAIC Fall National Meeting, the Cybersecurity (EX) Working Group, which drafted the Model Law, reminded states that the Treasury Department’s October 2017 report on the asset management and insurance industries included a recommendation that if states fail to enact uniform cybersecurity laws within five years, then Congress should enact a national insurance cybersecurity law. This reminder was meant to prompt swift action by states to adopt the Model Law.
[1] “Cybersecurity Event” is defined broadly under the Model Law as “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.” Exclusions include: (i) “the unauthorized acquisition of Encrypted Nonpublic Information if the encryption, process or key is not also acquired, released or used without authorization”; and (ii) “an event with regard to which the Licensee has determined that the Nonpublic Information accessed by an unauthorized person has not been used or released and has been returned or destroyed.”
[2] See DBR on Data Fact Sheet: NYDFS Cyber Regulations
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.