- Heightened urgency to adopt the NAIC Insurance Data Security Model Law
- Nuances within state adoption
- Developing an agile plan for compliance
Read more below.
Understanding urgency and nuance in state adoption
In early 2016, the National Association of Insurance Commissioners (NAIC) began drafting the Insurance Data Security Model Law in reaction to a number of data breaches involving large insurers.
The model cybersecurity law was finalized in October 2017, and since then has been adopted and gone into effect in 10 states to date: Alabama, Connecticut, Delaware, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina, and Virginia. Three additional insurance data security laws based on the model law will go into effect on July 01, 2021, in Hawaii, Indiana, and Tennessee.
The pace of adoption of the model law has been spurred on by a report issued by the U.S. Treasury Department, also in October 2017. In the report, the Treasury urged prompt action by states to adopt the model law within five years. If the model was not adopted and implemented, the Treasury recommended that Congress act by passing legislation setting forth uniform requirements for insurer data security.
A very real concern about federal preemption was surfaced in the introduction of Hawaii’s insurance data security legislation earlier this year, SB 1100:
The National Association of Insurance Commissioners strongly encourages that states adopt this model law by 2022, to avoid risking federal preemption of state laws in this area. While some licensees may already have cybersecurity policies and protocols in place, this Act will ensure and formalize insurance data security protections for all insurance licensees.
From fast-tracked legislative timelines to nuances within state adoptions – including varying exemptions and notification obligations – these new state insurance data security laws are providing interesting challenges and increasing complexity for insurance privacy teams.
Nuance in State Adoption and Effective Dates
We’ve seen some surprising differences in state legislation based on the NAIC model cybersecurity law. These nuances mean that insurance licensees will find it challenging to apply a simple, uniform set-it-and-forget-it compliance policy. It also means that automation of privacy incident risk assessment could be considered a basic business necessity to maintain compliance with evolving laws.
- Cybersecurity event notification timelines ranging from 72 hours to 3 business days to 10 business days.
- Differences in the definition of nonpublic (consumer) information.
- Differing notification obligations that could include a requirement to notify consumers and consumer reporting agencies as well as a state’s insurance commissioner.
Adding complexity, within adopted laws, different sections can go into effect at different times. For example, it’s not unusual for breach notification obligations to go into effect up to a year before licensees must comply with cybersecurity program requirements.
The pressure on privacy teams is high and getting higher.
Developing a Plan for Compliance
As adoption of the NAIC Insurance Data Security Model Law gains momentum, any organizational compliance policy will require agility to adapt and encompass the nuances present in each state’s adoption.
How do organizations position themselves to support the requirements of these new insurance data security laws? Can privacy leaders avoid reinventing the wheel with each new law as well as avoid over- or under-notifying in the event of a cybersecurity incident?
- Determines if the incident qualifies as a notifiable cybersecurity event
- Provides a jurisdiction-by-jurisdiction risk of harm analysis
- Alerts you of notification timelines for each jurisdiction
- Enables quick outreach with notification templates
- Publishes state-specific law overviews to support your understanding of a law’s complexity
With less than a year until the federal government’s recommended adoption and implementation period ends, privacy teams who rely on manual, uniform incident response processes or who have previously found success tracking new laws in spreadsheets may benefit the most from automated risk assessment and intelligent incident response software.
This adaptable solution is made possible through the Radar Breach Guidance Engine™, the only tool that can answer privacy’s most critical question, in the event of a data breach, do you notify or not?