Council Foundation Logo Leaders Edge

August 11, 2017

The National Association of Insurance Commissioners’ (NAIC) Cybersecurity (Ex) Working Group has finally adopted its long-awaited Insurance Data Security Model Law, paving the way for adoption of the model by the full NAIC membership. The sixth and possibly final version of the bill, intended to help protect consumers’ personally identifiable information (PII), will now move to the NAIC’s Executive Committee and if approved, will be voted on by the full membership in a plenary session this fall.

In an industry vulnerable to data breaches due to vast amounts of customer PII, the NAIC’s Data Security Model Law seeks to “establish the exclusive standards for data security and investigation and notification of a breach of data security applicable to insurance providers.” The Model Law applies to all insurance “licensees” – including brokers – and anyone required to be licensed, authorized or registered by state law.

Generally, the Model Law establishes key definitions for terms such as “breach,” “consumer” and “personal information,” and outlines base-line requirements for an information security program, data breach investigation and notification, and consumer protections following a data breach. The regulations mandate that the state’s insurance commissioner must be notified of a breach within 72 hours if the cyber incident impacts more than 250 consumers residing in a state. One amendment worth noting replaced the need for an annual report with a written statement clarifying compliance, according to a recent Reactions article.

It is also important to note, according to its most recent version, that any insurer in compliance with the New York State Department of Financial Services (NYSDFS) Cybersecurity Rule, effective March 1, 2017,  will also be in compliance with the NAIC’s Insurance Data Security Model Law.  The Model Law also includes a limited exemption for entities in compliance with HIPAA privacy requirements.

Finally, the Model Law provides that firms will have one year from the date of implementation to put the bulk of the regulation into place, specifically an information security program, an incident response plan and annual certification. These dates, of course, will depend upon when (and if) the Model is adopted in a state.

If you have questions regarding the NAIC’s Insurance Data Security Model Law, please contact The Council’s General Counsel, John Fielding, at