After nearly two years of extensive debate and development, the National Association of Insurance Commissioners (NAIC) began to formally take action on a new cybersecurity model law last week.

The NAIC’s Cybersecurity Working Group worked with the organization’s Innovation and Technology Task Force to bring the sixth, most recent version of the proposal to a vote and approve a draft, which the NAIC’s full membership is expected to approve during a conference call soon. 

At both the national and state association levels, developing this model law has been the focus of considerable Big “I” advocacy, education and grassroots attention from the beginning. The improved proposal considerably different, more reasonable and less onerous as a result of these public and behind-the-scenes efforts. For example, it does not include the broad scope or several troubling elements of the cybersecurity regulation promulgated by the New York State Department of Financial Services earlier this year.

Most notably, the proposal would require insurance licensees with 10 or more employees—including insurance agencies and insurers—to establish an information security program that is commensurate with the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of the guarded information. The requirements are flexible and risk-based, and each individual licensee’s tailored security program would be required to respond to and mitigate the risks identified in periodic risk assessments the entity performs. Earlier versions of the model would have applied these mandates to all licensees and required them to adopt certain identified practices in all instances.

One of the association’s biggest concerns was the manner in which previous versions of the proposal imposed excessive burdens, strict liability and unrealistic duties on licensees in relation to their engagement with third-party service providers. The model now requires businesses to simply exercise due diligence and reasonableness in selecting third-party vendors that receive access to a licensee’s sensitive information, and require those entities to implement appropriate measures to protect such data. 

Additional notable revisions include:

• Data security requirements now apply to a more specific universe of information. 
• Licensees who suffer data breaches—referred to as “cybersecurity events” in the model—must notify their home state regulators within 72 hours of discovering the event. If the breach affects the records of 250 or more residents of any other jurisdiction, the licensee must also notify that state’s officials. Any insurer who is the victim of a breach must also inform the insurance agents of record for all affected consumers. 
• The model previously required a series of consumer notification requirements in the event that a licensee suffered a data breach. The provisions were extensive and, among other things, would have required licensees to offer free identity theft protection services to consumers potentially affected by a data breach. The NAIC removed all consumer disclosure mandates earlier this year—instead, licensees must comply with existing notice requirements.
• The model no longer includes a provision that would have given regulators the open-ended authority, in the event of a data breach, to “prescribe the appropriate level of consumer protection required…and for what period of time that protection will be provided.” 
• The model no longer creates a private right of action that consumers could have used to bring litigation against licensees which fail to comply with the model’s requirements. 

Model statutes of this nature are public policy recommendations to state legislatures and must be enacted by lawmakers in order to have the force of law. The NAIC intends for this particular model proposal to be ready for consideration in interested states during the 2018 legislative sessions. 

Wes Bissett is Big “I” outside senior counsel of government affairs.