Maine and North Dakota recently adopted the National Association of Insurance Commissioners (NAIC) data security model law. They join at least 11 others states who have already adopted the model law. The model law applies to insurers, insurance agents and other entities licensed by the state department of insurance.
As we wrote about in our insurance certifications round-up, among other requirements, the model law requires organizations subject to the law to have:
- A comprehensive written information security program commensurate with the company's size and complexity
- A written incident response plan
- Employee training
- Appropriate oversight by the company's board of directors
Neither law will take effect right away. Maine's Model Law is not effective until January 1, 2022, with one section regarding compliance with third-party service provider arrangements effective January 1, 2023. The North Dakota law takes effect later, on August 1, 2022, with one section regarding the obligation to document and report cybersecurity events and related incident response activities effective August 1, 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.