Maine is one of the latest states to enact its own version of the National Association of Insurance Commissioners (NAIC) model data security law, signing the Maine Insurance Data Security Act into law on March 17.
The NAIC Insurance Data Security Model Law was formally adopted in 2017 and aims to establish data security standards for regulators and insurers to mitigate damage from a data breach. It has since been adopted by several U.S. states, with Maine and North Dakota being two of the latest.
“The NAIC model development has received wide attention in the industry from interested parties, including trade groups representing insurers and producers,” Maine Bureau of Insurance Superintendent Eric Cioppa told Insurance Journal in emailed comments. “…Maine has actively participated in the development of the NAIC model law, which Maine’s new law is based upon.”
The Maine Insurance Data Security Act spells out standards for insurers licensed in the state regarding data security, as well as the investigation of and notification to the superintendent of cybersecurity events.
Cioppa said the standards are scalable to the size and complexity of each insurer or licensee and the type of information it has. There is an exemption for licensees that have fewer than 10 employees, including independent contractors who work in the business of insurance.
The act requires licensees to develop, implement and maintain a written information security program that aligns with the size and complexity of their business based on a risk assessment. Risk assessments are required to be conducted at least annually to assess the effectiveness of cybersecurity controls, information systems and other safeguards to manage threats.
In the event of a cybersecurity incident, insurers or outside vendors acting on behalf of insurers are required to conduct a prompt investigation and notify the superintendent no later than three business days after the event is discovered. A copy of the notice should also be provided to consumers.
By April 15th annually, Maine insurance carriers are required to submit to the superintendent a written statement certifying compliance with the requirements spelled out in the act.
Maine is continuing to focus on improving cybersecurity for the insurance industry in the state, Cioppa said, participating in the NAIC Innovation and Technology Task Force and Big Data and Artificial Intelligence (EX) Working Group and keeping Bureau staff informed of developments in those areas.
He said the Bureau also monitors data security breaches involving entities that are or should be licensed in Maine, and Maine’s legal staff works to respond to questions from entities about Maine law and insurtech issues as needed.
The Maine Insurance Data Security Act takes effect January 1, 2022, at which time licensees are expected to comply with implementing an information security program. Cioppa said the Bureau will likely provide some additional guidance, either through updated FAQs or by issuing a bulletin, before the effective date.
“Ultimately, there is an expectation that regulated entities are responsible for knowing what the law is and what protected information they have, what information their third-party service providers have access to, how their systems are set up, how their systems and physical plants are protected from intrusion, what the current best practices in cybersecurity are and what cyberthreats are developing,” he said.
Was this article valuable?
Here are more articles you may enjoy.