Kentucky Governor Andy Beshear recently signed House Bill 474 to become the latest state to enact data insurance security legislation. The new law is modeled after the data security law of the National Association of  Insurance Commissioners (NAIC). Licensees with more than 50 employees who are authorized to operate, or are registered under the insurance laws of Kentucky, must comply with the new law. The law requires that licensees comply with data security provisions such as developing a written information security program, investigating and reporting cybersecurity events to the insurance commissioner within three days, and conducting risk assessments.

Although the law takes effect on January 1, 2023, licensees will have one year from its effective date of the law to implement many provisions of the law, including performing the risk assessment, establishing the written information security program, and designating an individual or vendor who is responsible for the information security program. The law also states the licensees have two years to design and implement a full information security program.

We previously wrote about the NAIC Model Law when Maine and North Dakota enacted similar laws. Our latest count is that now 21 states have enacted similar laws, some with slight variations as to notification periods, timelines, or definitions.

Two more state governors, those of Maine and North Dakota, have signed bills into law that adopt the National Association of Insurance Commissioners (NAIC) data security model law (Model Law). Maine and North Dakota join several other states that have already passed similar laws. Hawaii, Idaho, Illinois, Iowa, Minnesota, Rhode Island, and Wisconsin have similar bills pending.

What is the NAIC Model Law and to Whom Does it Apply?

According to the NAIC, the Model Law “seeks to establish standards for regulators and insurers in order to mitigate the potential damage of a data breach. The law applies to insurers, insurance agents and other entities licensed by the state department of insurance.”

What Does the Model Law Require?

The Model Law requires insurers and regulated entities licensed by state insurance departments to develop, implement, and maintain an information security program based on its risk assessment, with a designated employee in charge of the information security program. The Model Law also requires licensees to investigate a cybersecurity event and notify the state insurance commissioner. Licensees are required to implement an incident response plan.

Both the Maine and the North Dakota laws will not take effect right away. Maine’s Model Law is effective January 1, 2022, with one section regarding compliance with third-party service provider arrangements effective January 1, 2023. The North Dakota law takes effect on August 1, 2022, with one section regarding the obligation to document and report cybersecurity events and related incident response activities effective August 1, 2023.

The National Association of Insurance Commissioners’ (NAIC) Cybersecurity Task Force released a revised draft of the Insurance Data Security Model Law (Model Law) last week. The Model Law’s goal is to “establish exclusive standards… for data security and investigation and notification of a data breach” for “any person or entity licensed, authorized to operate, or registered” pursuant to state insurance laws. The Model Law was first released in April of this year and received over 40 comments from trade associations, market participants and regulators. This week, at the NAIC National Summer Meeting, the Task Force met with interested parties to discuss comments on this new draft and written comments to the Model Law may be submitted by September 16, 2016.

Continue Reading NAIC Released Draft of Revised Insurance Data Security Model Law for Review

On October 14, the National Association of Insurance Commissioners (NAIC) Cybersecurity (EX) Task Force released an updated draft of its Cybersecurity Bill of Rights. The bill, which updates a prior draft published for comment in July 2015, details certain rights of insurance consumers in connection with protection of personal information and responses to data breaches by insurers and agents. Specifically, insurance consumers have the right to:

  1. Know the types of personal information collected and stored by insurers, agents or their vendors,
  2. Expect insurers to make their privacy policies available on their website and in hard copy, if requested,
  3. Expect insurers to prevent unauthorized access to personal information,
  4. Receive notice from insurers in the event of a data breach through first class mail or email, sent within 60 days of discovery,
  5. Receive 1 year of identity theft protection paid for by the insurer involved in a data breach,
  6. In the event of identity theft, be aware of the measures available to protect their credit and prevent contact from debt collectors.

This draft scales back some of the protections contained in the July 2015 draft published for comment, which included specific references to consumer protections under the Fair Credit Report Act and HIPAA. While the bill would not have binding effect, there has been concern voiced in the industry about whether the bill implies that consumers have greater rights than provided for under individual state laws. The bill will now go before the NAIC Executive (EX) Committee for approval in November.

Cybersecurity risks have become more significant as critical consumer financial and health information is increasingly stored in electronic form. On April 16, 2015, the National Association of Insurance Commissioners (NAIC) adopted guidance concerning the protection of sensitive consumer information held by insurers and insurance producers.  The document also is intended to aid insurance regulators in the identification of uniform standards, to promote accountability across the entire insurance sector, and to provide access to essential information.

The guidance consists of 12 principles that were derived from similar cybersecurity regulatory guidance issued by the Securities Industry and Financial Markets Association (SIFMA). Among other things, the NAIC indicates that state insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks. Further, the guidance states that regulators should mandate that these entities have systems in place to promptly alert consumers in the event of a breach.

The NAIC notes that regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, but with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations. The NAIC expects insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them, including planning for incident response and taking steps to ensure that third parties and service providers have controls in place to protect personally identifiable information.

In the wake of several recent large-scale data breach incidents, companies can expect to see more laws and regulation regarding data security on both the federal and state level.  Although the concepts included in the NAIC guidance are not particularly new, insurers and other regulated entities will likely want to review the guidance to ensure that they are focusing on the same basic principles as the regulators. Companies outside of the insurance area may also find the guidance useful for their own cybersecurity efforts.

Following in the footsteps of the New York Department of Financial Regulation (NYDFS) in enacting cybersecurity requirements for the financial services industry, and in response to massive data breaches in the insurance industry, a wave of states have either enacted or are pursuing legislation aimed at regulating the cybersecurity measures of insurance companies.

In 2017, the National Association of Insurance Commissioners (NAIC) published a model rule that follows many of the NYDFS cybersecurity requirements, and most states are using that model in fashioning legislation for the insurance industry.

South Carolina, Michigan, and Ohio enacted cybersecurity laws applicable to insurance companies in the past year, and Mississippi, Connecticut, and New Hampshire have bills pending in their legislatures. More to come, for sure.

Since some states are not using the model law, there will be some variations from state to state. But basic security measures will be required in most of them, including having a Written Information Security Program (WISP) in place, completing a security risk assessment, and implementing procedures around incident response and breach notification.  Just as in other areas of the law, such as breach notification, it will be important to follow the most stringent law if a company does business nationally or in multiple states and to stay current as states adopt new laws regulating cybersecurity.

Shortly after the discovery of a cybersecurity breach at the health insurance company Anthem, Inc., the National Association of Insurance Commissioners (NAIC) called for a multi-state examination of Anthem’s cybersecurity practices to determine what protections were in place and what actions could have been taken to minimize data losses.  The examination is currently underway and led by insurance regulators from California, Indiana, Maine, Missouri, New Hampshire, North Dakota and South Carolina.  It should be noted that while this appears to be the first large scale multi-state examination of an insurer’s cybersecurity practices, some insurance departments, such as Connecticut, have already been conducting review of an insurer’s cybersecurity policies and procedures as part of its regular examinations.

Subsequently, NAIC released for comment two draft documents on cybersecurity. The first draft document, developed by NAIC’s recently created Cybersecurity Task Force, is entitled “Principles for Effective Cybersecurity Insurance Regulatory Guidance” (the Principles).  The Principles were designed to help state insurance departments identify cybersecurity risk and establish uniform standards to protect against it. The Principles also identify ways in which state regulators and NAIC can work with the insurance industry to flag these risks and work together on meaningful solutions.

The second draft document, developed by NAIC’s Property and Casualty Insurance Committee, is NAIC’s “Annual Statement Supplement for Cybersecurity Policies” (the Supplement).  The Supplement reviews recent cybersecurity exposures.

In addition to NAIC’s multi-state examination of Anthem, and its release of the draft Principles and Supplement, the New York State Department of Financial Services (NYDFS) is also looking into insurers’ cybersecurity practices.  NYDFS recently released the results of its cybersecurity survey of insurance companies. The survey inquired about insurers’ current and future cybersecurity programs, including their use of third-party vendors.  Forty-three insurance companies responded to the survey and provided insight into existing and planned cybersecurity programs, as well as the nature of measures taken by them to safeguard sensitive data and/or to protect against loss due to security incidents.


NYDFS is the principal regulator for insurance companies operating in the State of New York, as well as certain financial entities and other financial institutions. NAIC is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories.