Insurers operating in multiple states must comply with a patchwork of state-level legislation patterned after the NAIC’s Insurance Data Security Model Law
In 2017, the National Association of Insurance Commissioners (NAIC) developed the Insurance Data Security Model Law in response to a growing number of cyber incidents within the insurance industry. Similar to the NIST CSF, the NAIC Model Law is voluntary unless a state elects to codify its guidelines into legislation. In 2018, South Carolina became the first state to get on board.
Two years later, more states are passing versions of the NAIC Model Law or their own data security laws targeting insurers. Connecticut, Delaware, and New Hampshire are the latest to jump into the fray, with Connecticut patterning its legislation after the cyber security regulations the State of New York passed in 2017 targeting the finance and insurance industries, and the other states using the NAIC Model.
What’s in the NAIC Model Law?
The purpose of the NAIC Model is to establish a uniform set of standards for data security, breach investigation, and breach notification within the insurance industry. The model includes guidelines regarding security testing, implementing a information security plan, assessing cyber risks, incident response, and breach notification procedures. The NAIC Model applies to “licensees,” a broad category that includes companies ranging from large insurance carriers to small, independent adjusters.
The NAIC Model law requires licensees to develop and maintain a comprehensive, written, and customized “Information Security Program” based on a risk assessment and containing administrative, technical, and physical security controls. The NAIC Model provides a number of guidelines for security controls, which licensees must adhere to as “appropriate” based on the results of their risk assessment:
- Adopt secure development practices for in-house application development.
- Restrict access at physical locations to authorized personnel.
- Utilize technical access controls to restrict access to covered data on information systems.
- Encrypt or protect by “other appropriate means” covered data that is transmitted over an external network or stored on a laptop computer or other portable computing or storage device.
Licensees must also include cyber risks in their enterprise risk management processes and notify their state insurance commissioner of a cybersecurity event within 72 hours.
It’s important to note that the NAIC Model Law applies to “nonpublic information,” which covers a much broader range of data than “personal information.” In addition to personal information, such as Social Security Numbers, driver’s license information, and customer health information, nonpublic information includes “business related information of a Licensee the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Licensee.”
Insurers must grapple with a patchwork of state-level data security laws
While state-level insurance data security laws are similar, there are significant differences that insurers need to be aware of. For example, the NAIC Model Law exempts licensees with fewer than 10 employees. However, New Hampshire exempts licensees with fewer than 20 employees, and Delaware’s law exempts those with fewer than 15. Michigan set the magic number at 25 and also excluded independent contractors; Connecticut is taking a phased approach.
Some states have also modified the NAIC’s suggestion of a 72-hour breach notification deadline. Licensees in Connecticut, Delaware, and Ohio have three business days, while Michigan insurers have 10 days.
When the NAIC unveiled the Model Law, its goal was to get all states to pass a version of it within three years. Regardless of whether the NAIC reaches its target, insurers should expect more state-level legislation on data security and privacy and prepare to adjust accordingly.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.