On Tuesday and Wednesday of this week, we attended the National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force Interim Meeting in Washington, D.C. The meeting focused on the current draft of the Insurance Data Security Model Law, providing stakeholders an opportunity to comment before it moves to the next stage. This model law, which is intended to “establish the exclusive standards for data security and investigation, and notification of a breach of data security applicable to licensees,” was first released for public comment in early March. While much of the conversation over the two days was focused on minor details regarding definitions, risk management requirements, and data breach notification requirements, the overall consensus was that the in some areas, the law is too broad, too prescriptive, or simply not possible to follow.
One of the main areas of concern expressed during the meeting was the fear that, if enacted, this NAIC model would simply add another layer of compliance on the industry. There are currently 47 different state data breach notification laws across the country, and many states have data security requirements in place, as well. Moreover, there is talk of federal action on the issue, as well. The NAIC’s intent is for the model to preempt other relevant state laws, but there is no guarantee that will happen – models rarely are enacted word-for-word, and this is a “hot” issue, with a great deal of interest from state attorneys general and others. As for The Council, the broad concern is that an insurance specific approach, while appealing in theory, is not possible because this is an issue that crosses sectors. We want to avoid multiple and duplicate requirements among the states. Nonetheless, the NAIC process appears to be going relatively smoothly, and the timeline is fast, especially for the NAIC. Comments on the current model law draft are due by next Friday, after which another draft will be released for review and comment. While there is a lot more to come, the NAIC appears to be pushing hard to get the model prepared for adoption by the NAIC Cybersecurity Task Force’s August meeting in San Diego in August.