Cybersecurity Model Law Proposal Draws Fire from Insurance Industry

The insurance industry is currently pushing back on a recently introduced Insurance Data Security Model Law proposed by the NAIC’s cybersecurity task force. The law, which is intended to “establish the exclusive standards for data security and investigation, and notification of a breach of data security applicable to licensees,” was released for public comment in early March. While the law was approved by the NAIC Executive Committee due to the need for cyber insurance regulatory safeguards and standards, members of the insurance industry complain that “it would be difficult or impossible to comply with all the provisions of the act.” Additionally, industry representatives claim instead of promoting uniformity, this law would “create a myriad of state data security laws for insurers” which would be nearly impossible to comply with for a typical insurance agency. Instead of being consistent throughout the states, one insurance representative said that the law attempts to pre-empt federal law meaning it could later be challenged in the courts. Due to a lack of “give and take” between the NAIC and the industry as a whole, this law has been opposed by the industry more than any other newly proposed model law, according to one industry representative. The 130 pages of comments to the Insurance Data Security Model Law can be found here.