NAIC Insurance Data Security Model Law Poised for Adoption
On August 7, 2017, the National Association of Insurance Commissioners (“NAIC”) Cybersecurity Working Group adopted as final, over one dissenting vote, the sixth draft of the NAIC Data Security Model Law. The next day, the NAIC Executive Committee voted to extend the time for presentation of the final draft of the Model Law by the Cybersecurity Working Group, which had previously been given a deadline of the 2017 Summer Meeting in Philadelphia. The actions by the Working Group and the Executive Committee now leave the Model Law poised for presentation to, and adoption by, the Executive Committee at the NAIC Winter Meeting in December in Honolulu, Hawaii.
The Model Law is the product of drafting spanning almost two years beginning in March, 2016 and was developed contemporaneously with the New York Department of Financial Services Regulation 500, a data security regulation that became effective on March 31, 2017. While the language and structure of the Model Law and the New York regulation were initially quite different, the last two drafts of the Model Law adopted much of the terminology, structure, and concepts of Regulation 500. In fact, the drafters indicated that it was their intention (although no explicit exemption was written into the Model Law) that compliance with Regulation 500 would be deemed compliance with the Model Law.
Both the Model Law and Regulation 500 are generally applicable to any entity licensed under the insurance laws of the state. Each requires that the licensee perform a “risk assessment” to evaluate the potential for data breaches or unauthorized access to nonpublic information held by the licensee. Both mandate that the licensee adopt a written cybersecurity program or policy based on the risk assessment. The required programs must consider, among others, access controls, encryption, multi-factor authentication, adequacy of controls of third-party vendors, testing and monitoring, creation of audit trails, and cybersecurity awareness training for employees. Each requires the licensee to appoint a person responsible for the cybersecurity program and for the licensee’s board of directors or governing body to receive and meaningfully evaluate a report on the structure and effectiveness of the cybersecurity program from the designated responsible person. Both also require the development of an incident response plan and mandate notice to the domiciliary commissioner within 72 hours of a specified breach.
The draft Model Law also has some significant differences from Regulation 500. First, the requirements of the Model Law to develop a written cybersecurity program are “commensurate with the size and complexity of the licensee.” While it is clear that the drafters intended that the extent of the program be proportional to the size and complexity of the licensee’s business, little guidance as to implementation is given. Although the Model Law suggests that the licensee may consider limitation of all aspects of the cybersecurity program in this sliding scale analysis, Regulation 500 requires that certain criteria, such as encryption, multi-factor authorization, penetration testing and monitoring, audit trails and access controls must be present in all programs. The Model Law requires licensees to exercise “due diligence” in selecting third-party providers and require “appropriate” security measures by such providers, while Regulation 500 requires extensive, specific written policies and procedures regarding such third-party providers. Regulation 500 requires notice to the Commissioner of any attempt (successful or unsuccessful) to breach the licensee’s systems, while the Model Law requires notice only when unauthorized access to information has occurred. Finally, the Model Law exempts not only licensees with less than ten employees, but also any entity that has complied with the data security requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Regulation 500 does not exempt HIPAA-compliant licensees.
With the anticipated adoption of the Model Law by the NAIC Executive Committee in December, states will likely begin the process of enacting the Model Law. For insurers that are not already subject to Regulation 500, the Model Law will impose significant obligations on licensed insurers to develop cybersecurity programs meeting its requirements. For insurers already subject to Regulation 500, there are differences in the requirements of the Model Law that may require different actions and procedures.
Saul Ewing’s Insurance Practice Group is conversant with both of these laws and can assist insurers with their compliance efforts. Please contact the author with any questions, comments or concerns regarding the Model Law or Regulation 500.