Coming to a State Near You: NAIC Data Security Model Law

On Oct. 24, 2017, the National Association of Insurance Commissioners (NAIC) approved the Insurance Data Security Model Law to address cybersecurity risks and set guidelines for licensees.

While the law contains many details, some are particularly important for insurance agencies that handle personal information of clients and employees.

The model law closely resembles the New York Department of Financial Services (NY DFS) cybersecurity regulation that took effect on March 1, 2017. It provides a framework for states to establish their own cybersecurity rules for licensees. South Carolina was the first state to adopt the model law almost in its entirety, and other states are currently reviewing it.

Safeguarding consumers’ nonpublic information is a vital part of the model law, which places requirements on licensees in the event of a cybersecurity event. Notification to the insurance commissioner is required as soon as possible and no later than 72 hours after the discovery of a cybersecurity event.

Who Is a Licensee?

The model law defines a licensee as any person licensed, authorized to operate, or registered—or required to be licensed, authorized or registered—pursuant to the insurance laws of the state.

What Is a Cybersecurity Event?

The model law defines a cybersecurity event as any event resulting in unauthorized access to, or disruption or misuse of, an information system or information stored on such a system. This does not include unauthorized acquisitions of encrypted nonpublic information if the encryption process or key is not also acquired, nor situations where the nonpublic information is not used or released and is returned or destroyed.

Key Requirements

Implementation of an information security program. Each licensee shall develop, implement and maintain a comprehensive written information security program based on the licensee’s risk assessment. It shall contain administrative, technical and physical safeguards for the protection of nonpublic information and the licensee’s information system. This program shall protect against unauthorized access to, or use of, nonpublic information to help prevent harm to the consumer. It should also include a retention plan to evaluate how long nonpublic information should be kept, and to set protocol for the destruction of nonpublic information that is no longer needed.

Risk assessment and management. Licensees shall designate one or more employees, or an outside firm, to be responsible for the data security program and making sure policies and procedures are in place to manage threats. This includes identifying internal and external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of nonpublic information.  The program should consider and document employee training, updates to network systems, storage of data, transmission of data and disposal of data.

Oversight by a board of directors. If the licensee has a board of directors, the board shall develop, implement and maintain an information security program that it reviews at least annually. The board should produce an annual report on overall status and compliance to  address issues such as risk management, risk assessment, control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations, and responses to events. It must also address any recommended changes to the program.

Oversight of third-party service provider agreements. Licensees shall be responsible for exercising due diligence in selecting third-party service providers. Each third-party service provider shall be required to implement appropriate administrative, technical and physical measures to protect and secure the information systems and nonpublic information held by the third-party provider.

Incident response plan. Each licensee shall establish a written incident response plan to promptly respond to, and recover from, a cybersecurity event that compromises nonpublic information. This plan shall include an internal process for responding to a cybersecurity event, definition or roles, external and internal communications and information sharing, identification and remediation of any weaknesses in the information systems and controls, documenting and reporting of the cybersecurity event, and evaluation and revision of the incident response plan following a cybersecurity event.

Program adjustments. The licensee shall monitor, evaluate and adjust the information security program consistent with any relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to information, and the licensee’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

Annual certification. The licensee shall submit a written statement to the commissioner by Feb. 15 of each year, certifying compliance.

Exceptions

Section 9 of the model law contains several exceptions for:

  • Licensees with fewer than 10 employees, including independent contractors.
  • Licensees subject to the Health Insurance Portability and Accountability Act (HIPAA) who have established and maintain an information security program pursuant to HIPAA’s statutes, rules, regulations, procedures or guidelines.
  • An employee, agent, or representative or designee of a licensee, who is also covered by the information security program of another licensee.
  • Licensees who are compliant with the New York Compilation of Codes, Rules and Regulations, Title 23, Part 500 of the Cybersecurity Requirements for Financial Services Companies Act, effective March 1, 2017.

Exception status will be determined by each state. If a licensee ceases to qualify for an exception status, they will have 180 days to comply with the model law.

Licensees who receive exception status must still notify the commissioner within 72 hours after discovery of a cybersecurity event, and shall conduct a prompt investigation to determine its nature and scope.  

Penalties

Individual states will determine the penalties for noncompliance.

Already, today’s varying state data breach laws create significant compliance issues for businesses across the country. The Agents Council for Technology (ACT) created the Agency Cyber Guide 1.0 to help agents understand individual regulations and the consequences of noncompliance, and to provide resources on all cyber regulations, including NY DFS, NAIC and Gramm-Leach-Bliley.   

If you’re a Big “I” member and have additional questions about data security, contact ACT.

George Robertson, owner of Rockingham Insurance in Eden, North Carolina and president of Robertson Consulting, is an ACT committee member.