A Comprehensive Guide to the NAIC Model Law

In June 2021, we published a blog about the rapid rate of adoption of NAIC Model Laws. Flash forward just one year and the number of states that have passed data laws based on the NAIC model has more than doubled (rising from 10 states to 21).

Because of its rapid adoption and influence on the privacy landscape, our team of experts put together a comprehensive (and free) guide to help businesses navigate the law’s complexities – such as provisions, state-by-state adoptions, and notification requirements. 

Quick Refresher

What is the NAIC?

State governments, not federal agencies, have preeminence over the insurance industry (as defined by the McCarran-Ferguson Act of 1945). It’s up to each state to pass and enforce laws governing insurance companies. Every state has its own chief insurance commissioner who sits over a commission to manage this function. 

To create a consistent set of standards for state-by-state regulation of the industry, the 50 state insurance commissioners, along with one from the District of Columbia and five from U.S. territories, joined together to form the National Association of Insurance Commissioners (NAIC). 

What is the NAIC Insurance Data Security Model Law?

The NAIC drafts model laws for U.S. states, districts, and territories to use in drafting their own legislation governing how the insurance industry will safeguard and manage individual customer data. 

The NAIC provides regulatory support to individual states and territories by offering model laws that can be adopted wholesale by a state legislature, or modified to accommodate unique state-by-state differences.

When we write about the NAIC Model Law, we refer specifically to the Insurance Data Security Model Law (MDL 668). 

The NAIC saw a need for this law as a response to the growing number of large insurers experiencing data breaches. Providing a mechanism for state governing bodies to address consumer needs and concerns was a way to forestall federal intervention in the industry in response to those breaches. The law was passed by congress in October 2017. 

How many states have adopted the NAIC Insurance Data Security Model Law?

21 states have passed NAIC Model Laws as of May 31, 2022. The following map depicts which states.

The NAIC Calls for Urgent Adoption to Forestall Federal Government Intervention

The existence of pre-vetted language specifically designed to govern the insurance industry’s use of data has meant that these NAIC Model Laws have moved more quickly through state legislatures than comprehensive cybersecurity laws. 

As of today, only five states have passed a comprehensive set of Privacy Bills, while 21 have passed data laws specifically relating to the insurance industry.

The pace of adoption of the Model Law hastened due to a report issued by the U.S. Treasury Department in October 2017. In the report, the U.S. Treasury urged prompt action by states to adopt the NAIC Model Law within five years. If the Model was not adopted and implemented widely, the report recommended that Congress act by passing legislation setting forth uniform requirements for insurer data security. 

As the clock winds down on the five-year recommended adoption period, businesses should expect to see more states and districts adopt the NAIC Model Law in the second half of 2022. 

Understanding Data Incident Management Provisions in the NAIC Model Law

For insurers, the law adds complexity to the incident management lifecycle. Data Breach Incident Information Required by NAIC Model Law:

• Date of the event
• Description of how information was exposed, including the roles of third-party service providers
• How the cybersecurity event was discovered
• And 8 additional information requirements. Read the full list in our in-depth guide.

Nuances Vary by State

In theory, the NAIC Model Law provides a standardized approach to govern how companies must manage and respond to data incidents. In practice, we see that state-by-state, enacted laws are full of notable variances from the Model, reflecting the distinct preferences and business climates of individual states. 

When it comes to incident management and response, the nuances that are particularly important to note within the laws include the following differences:

“Nuances within NAIC Model Law adoptions mean that insurance licensees will find it challenging to apply a simple, uniform set-it and-forget-it compliance policy. It also means that automation of privacy incident risk assessment could be considered a basic business necessity to maintain compliance with evolving laws.” –Lauren Wallace, Chief Privacy Officer and General Counsel, RadarFirst

→ notification window 

→ threshold for notification

→ types of consumer information that – if breached – would be considered a data incident

→ individuals and oversight bodies that must be notified

For a full illustrative table depicting notification requirements by state and effective date, download the free guide.

Data points such as state, effective date, and notification window are only three of 18 categories of compliance that RadarFirst’s automated platform tracks and uses to determine incident risk. 

What’s Next for the NAIC Insurance Data Security Model Law  and Insurance Industry?

With only a few months until the federal government’s recommended adoption and implementation period ends, we anticipate many states will enact NAIC Model Laws in the second half of 2022. However, privacy teams should not consider any new legislation to be a one-and-done set of guidelines. 

The NAIC is currently reviewing and updating the NAIC Model Law discussed in this blog and guide (MDL 668), as well as Model Law 672 Privacy of Consumer Financial and Health Information Regulation. Organizations should expect that when the NAIC issues the new language for these laws, states will respond with amendments to their already adopted NAIC Model Laws, resulting in a constantly shifting set of requirements for incident management and response.

Digital Transformation of Privacy Incident Management Is Key to Meeting Complex Notification Requirements

The time to digitally transform how you manage privacy incidents is now.

The complex legal framework governing data management has grown to the extent that manual tracking and response will be nearly impossible in the near future (if not already). 

RadarFirst is the only intelligent incident solution capable of tracking new laws and amendments to existing laws, keeping our automated platform current and forever-compliant.