On October 24, 2017, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law. The NAIC Model Law builds on existing data privacy and consumer breach notification requirements by requiring insurance licensees to comply with detailed requirements regarding their information security program and responding to and giving notification of cybersecurity events.
The NAIC Model Law is similar to the cybersecurity regulation issued earlier this year by the New York Department of Financial Services (DFS). Unlike the New York DFS regulation, however, the NAIC Model Law pertains solely to insurance licensees, and because it is a model law, it will only apply to licensees in any given state if it is enacted into law by that state. Moreover, each state will have the freedom to modify the text of the NAIC Model Law as it sees fit.