The National Association of Insurance Commissioner’s (NAIC) model cybersecurity law will take center stage later this week at the group’s annual meeting in Denver. 

In its third draft, the Insurance Data Security Model Law – which the NAIC’s cybersecurity task force started work on in March 2016 – sets forth risk-based data security standards that would apply to “licensees,” generally defined as organizations that operate by virtue of a state’s insurance laws including insurers, brokers, agents, and their service providers.

The stated purpose of the model law is to establish “exclusive standards for data security and investigation and notification of a breach of data security applicable to insurance providers.”  In order for the model law to pass muster with the NAIC membership, it requires approval by two-thirds majority of the group’s executive committee.  At that point, it would then be up to each state legislature to decide whether to enact the model law – either “as is” or modified.

Key provisions of the model law include:

Written Information Security Program.  As currently drafted, the model law requires the maintenance of a “comprehensive written” information security program covering administrative, technical and physical measures to protect sensitive information.  The program should be “commensurate with the size and complexity … [of the organization’s] activities and the sensitivity” of the nonpublic information it collects and stores. 

Board Oversight. And similar to the recently implemented New York cybersecurity regulation covering financial institutions, the model law also requires board engagement.  The model law mandates that the board oversee the “development, implementation and maintenance” of the information security program including an annual board report on the state of the organization’s cybersecurity compliance.  We have previously reported on the New York regulation.

Third-Party Service Providers.  Given the high profile data breaches involving third-party network access, the model law also requires organizations to “exercise due diligence in selecting” its service providers and requires them to implement “appropriate measures” to safeguard nonpublic information.

Breach Investigation. The model law contains general requirements for a breach investigation such as assessing the nature and scope of the breach and taking reasonable measures to prevent future unauthorized access to nonpublic information.

Breach Notification.  The model law also requires notification to various parties in the event of a data breach including to the state insurance commissioner “[a]s expediently as possible and without reasonable delay but no later than three business days” after determining that a data breach has occurred.  There are other breach notification requirements as well.

Insurance trade groups have not uniformly embraced the model law.  During a series of comment periods, organizations including the American Council of Life Insurers, the Independent Insurance Agents & Brokers of America, Inc. and others have sought significant changes and expressed skepticism as to whether the proposal will receive broad support.  The National Conference of Insurance Legislators has stated that it is “impractical and inadvisable to pass a data security law for the insurance industry only[,]” will lead to conflicting obligations for insurers and the financial services industry.

We will continue to report on developments after the model law is discussed this weekend.