NAIC Task Force Hosts Insurance Data Security Model Law Meeting

On May 24 and 25, the National Association of Insurance Commissioners (the “NAIC”) Cybersecurity (EX) Task Force (the “Task Force”) hosted a meeting in which state insurance commissioners and interested parties were invited to provide comments to and voice concerns about the current draft of the Insurance Data Security Model Law (the “Model Law”).  This Model Law is designed to “establish exclusive standards for data security and investigation and notification of a breach of data security” for “all licensed insurers, producers, and other persons” licensed, authorized, or registered pursuant to an enacting state’s insurance laws (collectively, “Licensees”).

During the meeting, key Model Law areas of contention included (1) certain prescriptive security measures that Licensees are expected to incorporate into their information security programs; (2) the requirement that Licensees compel third-party service providers to agree by contract to certain data security provisions; (3) the timing, substance, and procedure for notifying consumers of a data breach; and (4) consumer remedies following a data breach, such as regulatory remedies and a private right of action.

Follow-up comments to this draft of the Model Law are due to the Task Force by June 3.  Task Force Chair Adam Hamm of North Dakota has indicated that the NAIC intends to finalize this Model Law in 2016, so that it can be considered by state legislatures in 2017.  Chair Hamm has also expressed an interest in making this Model Law an NAIC accreditation standard.