Five Things Insurers, Producers and Other Licensees Should Know About the NAIC Insurance Data Security Model Law

In the final quarter of 2017, the NAIC adopted the Insurance Data Security Model Law, making it available for consideration and adoption by the states in 2018. Some states, including South Carolina and Vermont, have already indicated their intent to include the Model Law on their 2018 legislative calendars.

The Model Law closely tracks New York’s Cybersecurity Regulation. In fact, in a drafting note, the Model Law makes clear that if a Licensee is in compliance with the New York Cybersecurity Regulation, it is also in compliance with the Model Law.

Regardless of whether, when, and in what form the Model Law is adopted in a particular state, implementing a written Information Security Program of the type described in the Model Law appears to be a good business practice for most insurance industry participants. And, with state adoption likely on the horizon, it is important for Licensees to begin to become informed now of the Model Law’s requirements, so they can be ready to implement those or similar requirements when enacted by the various states. To assist in this effort, below are five things that Licensees should know about the Model Law:

1. The Model Law applies to all Licensees under the insurance laws with few exceptions.

The Model Law covers “Licensees,” which are defined as “any person licensed, authorized to operate, or registered pursuant to the insurance laws of [State]” but does not include a risk purchasing group, a risk retention group, or a Licensee acting as an assuming insurer that is domiciled in another jurisdiction. This broad definition would include licensed insurance companies, insurance producers, excess lines brokers, insurance consultants and insurance adjusters.

2. The Model Law requires Licensees to develop a written Information Security Program.

The Model Law requires that each Licensee have a comprehensive written Information Security Program based on the Licensee’s risk assessment that contains safeguards for the protection of nonpublic information and the Licensee’s information system.

However, the Model Law provides for three limited exceptions from the Information Security Program requirements for:

  • Licensees with fewer than 10 employees, including independent contractors;
  • An employee, agent, representative or designee of a Licensee, who is itself a Licensee, to the extent it is covered by the Information Security Program of the other Licensee; or
  • Licensees that are subject to HIPAA that have established and maintain an Information Security Program pursuant to HIPAA.

3. A Licensee’s board of directors has oversight responsibility.

The Model Law requires that an annual written report of the Licensee’s executive management be provided to the board of directors to inform the board of the overall status of the Information Security Program and the Licensee’s compliance with the Model Law. The Model Law also provides an oversight requirement on the board to require executive management to develop, implement and maintain the Information Security Program. These requirements of the Model Law make clear that board accountability is an important part of the Licensee’s overall data security program.

4. Insurers subject to the Model Law are required to file an annual certification with the commissioner and to retain records for five years.

Annually, on February 15th, each insurer domiciled in a state that adopts the Model Law will be required to submit to the commissioner a written statement that certifies the insurer is in compliance with the requirements of its Information Security Program. Additionally, the insurer will be required to maintain records supporting the certification for a period of five years.

5. Licensees are required to exercise due diligence in selecting third-party service providers.

Licensees are ultimately responsible for oversight of their vendors and contractors who have access to protected information and must require these providers to implement measures to protect and secure information systems that are accessible to the third-party service provider.

Because the Model Law is not yet an accreditation standard, there may be significant deviations or additional requirements in adopted state versions of the Model Law. Insurance companies and other licensed entities will need to continuously monitor when the Model Law is enacted by states in which they do business and identify any deviations from the Model Law to ensure full compliance on a state-by-state basis.