The State of NAIC’s Data Security Model Law

By | September 21, 2018

Most states have yet to adopt a cyber security model law for the insurance industry like the one approved by the National Association of Insurance Commissioners in 2017, but one expert believes the industry should be prepared for what he sees as an eventuality.

The NAIC last year approved the Insurance Data Security Model Law, which creates a legal framework for requiring insurance companies to operate cybersecurity programs.

The NAIC Model Law seeks to establish a guiding framework for regulated entities to set up cybersecurity programs. The law outlines planned cybersecurity testing, involvement with a company’s information security program and incident response plans for breach notification procedures.

The NAIC model law is only a guideline until adopted by individual states, but the NAIC is hoping a majority of states will adopt its model law over the next few years. The U.S. Treasury Department has endorsed the model and recommended that Congress should consider preempting the states if it is not adopted over the next five years.

South Carolina last year became the first state to adopt the model law. The South Carolina Department of Insurance Data Security Act was drafted by the NAIC’s Cybersecurity Working Group, chaired by South Carolina Insurance Director Raymond G. Farmer. Rhode Island has a proposal to adopt the model law making its way through state legislature.

Provisions of the South Carolina law, which follows the NAIC’s, requires insurers: to protect consumer information by safeguarding individual insurance policyholder’s personal information; to establish data security standards to mitigate the potential damage of a data breach; to develop, implement and maintain a secure information security program, investigate any cybersecurity events and notify the SCDOI of such events immediately.

The NAIC model law resembles regulations passed by New York’s Department of Financial Services. The state led the nation as the first to establish cybersecurity regulations, which became effective March 1, 2017.

California in late August passed a law that promises to yield what could be the nation’s most far-reaching law to give consumers more control over their personal data. The law requires companies to report to customers upon their request what personal data they’ve collected, why it was collected and what third-parties have received it.

Tim Owen, a vice president of product management for insurance software provider Denver, Colo.-based Vertafore Inc., believes other states will soon follow.

Owen spoke with Insurance Journal about what the insurance community should be thinking about as states start to consider adopting this model law.

This has been edited for brevity and clarity.

Insurance Journal: Can you talk about the NAIC model law for data security, what it is and what it means?

Owen: Sure. I’ll give you a very brief history. There were some large security breaches in the industry a few years ago, 2014-15, which drove the National Association of Insurance Commissioners to create a cybersecurity task force. Their goal there, of course, is to protect customer information and the cyber breaches that occurred drove them to be a little more aggressive on that. So what they did in the task force was meet over a couple years, had a couple drafts of a model law and in that time they also had a couple states being a little proactive and created some cybersecurity laws so what they were trying to do is get a cybersecurity model law that other states could adopt and try to keep it as consistent as possible across all the states so it would make it easier for the industry to comply with that. In 2017 they adopted that model and it’s now starting to be adopted throughout the country at various states.

IJ: What do you see as the next steps for states in adopting this model law?

Owen: We saw the first state, South Carolina, adopt it in July and we’re looking for a couple more states to move forward in their legislative processes. There’s a process, of course, that the states have to follow in order to adopt a new model, so the model then goes through the legislative process of each state. The state adopts it, hopefully it’s close as possible to the model itself, but there are times where they deviate from the model for various reasons in the state as they go through that legislative process. I anticipate kind of a slow uptake at first and then once some of the states start adopting it and get enough momentum, we’ll see more and more states adopt it from there.

IJ: What should agents and insurers know about this? Should they be concerned?

Owen: Well, the agents and insurers should absolutely be concerned about their customers’ data. I believe they have for a long time but, of course, as the hackers and other organizations looking to get access to this data, it’s becoming more and more important for them to put additional attention on security. I think it’s a good thing for them, good thing for their customers to do that. Of course they now have some additional requirements as a result of the model as it starts to get adopted. It does require them to do additional reporting, additional assessments, take a look at their vendors, make sure that they’re putting together the best program for information risk management in their organizations to protect not only their data but their consumers’ data that they have in-house. It’s very important for them to know what their obligations are. I think over the last year with the New York law that was passed the attention has grown quite substantially from the model itself to now the enacted legislation at the various states. This is going to continue to grow over the next year. There’s actually a March deadline for the New York cybersecurity law compliance as well so there’s lots of attention being placed on this right now and with the vendors who support those customers.

IJ: You mentioned this New York law. Can you compare the two?

Owen: Well, a lot of the NAIC model incorporates the concept of the New York law but there are some, certainly there’s some differences. Requirements for multi-factor authentication is probably the one difference that is most notable but I think a lot of vendors, a lot of carriers, a lot of agencies are looking to adopt those practices not only if they do business in New York but it’s a general good practice. If they haven’t they’re certainly considering that now. There are differences but a lot of it was written intentionally to try to be as consistent as possible. That’s the whole point of the model act itself.

IJ: Does this new model law create any opportunities for agents and insurers?

Owen: I think it’s an opportunity for agents insurers to get closer and deepen the relationship with their customers. One way to do that, of course, is to reach out and educate them about how important the data that they require and need from the consumers, how they’re taking care of it and protecting it carefully.

That would actually help them reassure the actual insured about what’s going on with the data that they have given to the agency who has, in turn, given it to the carrier. It’s very important for the agency, the carrier to make sure that they’re paying attention to how the consumer data’s being protected and educating the consumer on the risks that are out there and inherent in information and cybersecurity issues but also how they’re doing everything they can in applying best practices to take care of that data.

Was this article valuable?

Here are more articles you may enjoy.