On August 17, 2016, the Cybersecurity Task Force (Task Force) of the National Association of Insurance Commissioners (NAIC) released for comment a revised draft of an Insurance Data Security Model Law (Model Law). This revised draft Model Law addresses comments received from regulators, industry participants and the public on the initial draft proposed by the Task Force on March 2, 2016. (For more information, see our Legal Update, “NAIC Proposes Cybersecurity Model Law for the Insurance Industry.”) The Model Law, if adopted by the NAIC and enacted by the states in its present form, would establish the “exclusive standards” under state law for data security and investigation and notification of a data breach applicable to “licensees.” The term “licensee” is defined as “any person or entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state.” It would therefore include insurance companies as well as insurance agents and brokers, claims adjusters and administrators.

Continue reading.