The NAIC Data Security Model Law (Model 668) continues its journey through the various state legislatures. Whether all 50 states meet the U.S. Treasury-recommended 2022 deadline for adoption of uniform data security regulations for the industry remains to be seen.¹ Currently, as set forth in the chart below, 18 states have adopted Model 668.

Idaho, Illinois and Rhode Island have, so far, failed in their efforts to adopt Model 668.

While the adopting states have largely followed the provisions of Model 668, insurance licensees must take note of individual state variations. For example, the deadline to report cybersecurity events to the commissioner varies from state to state. While the requirement is usually three business days in most states, it is 72 hours in South Carolina, five business days in Minnesota and 10 business days in Michigan.

Another variation is whether a state’s version establishes that the law is the “exclusive standard” applicable to licensees for data security, investigation and notification to the commissioner of a cybersecurity event. Most states have adopted an exclusive standard provision, however, Connecticut and South Carolina have not. It is notable that Model 668 also does not provide for an exclusive standard.

Given the activities of the NAIC Privacy Protections Group, which is now focused on updating NAIC Model, 672 Privacy of Consumer Financial and Health Information Regulation, it is possible that future amendments to Model 668 will be required to align the Models. We will continue to monitor and report on these issues as developments arise.

FOOTNOTES

1. See A Financial System That Creates Economic Opportunities, Asset Management and Insurance, U.S. Department of the Treasury (November 15, 2017), pp. 115-117; available here (Accessed 7/26/2021).