The National Association of Insurance Commissioners (NAIC)
Cybersecurity (EX) Working Group (Cybersecurity WG)
approved Version 6 (Finalized) of its Insurance Data
Security Model Law (Model) on August 7 at the NAIC Summer 2017
National Meeting in Philadelphia. The following day the Model was
approved by the Innovation and Technology Task Force. Next, it will
be considered by the NAIC Executive Committee, and if approved,
sent to the Joint Meeting of the Executive Committee and Plenary
for vote by all NAIC Members.
Version 6 of the Model incorporates significant changes from the first version released on March 2, 2016, including the narrowed purpose of establishing "standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees..." The Model applies to all Licensees, defined as individuals or non-governmental entities required to be authorized, registered, or licensed pursuant to a state's insurance laws. There are very limited exceptions to the definition. The Model also requires that all Licensees develop, implement, and maintain a comprehensive written Information Security Program (ISP).
The ISP should be based on an individual risk assessment and be commensurate with the Licensee's size and complexity, the nature and scope of its activities, and the sensitivity of the Nonpublic Information used or in the Licensee's possession, custody or control. The program should cover electronic and non-electronic Nonpublic Information. Nonpublic Information includes information that is not publicly available and covers material business information of the Licensee as well as specified personal, financial and health information concerning a Consumer or a family member.
The Model calls for oversight by the board of directors or an appropriate board committee, the designation of a responsible person for the ISP and oversight and due diligence of all third-party service providers. A Licensee must also monitor its program to adjust for changes in technology and must establish a written incident response plan.
The Model includes specific requirements for investigation and notification to the Commissioner in the case of a Cybersecurity Event. A Cybersecurity Event is defined as an event resulting in unauthorized access to, disruption, or misuse of an information system or information stored on such system. It does not include encrypted information where the key has not been acquired, released or used, or events where the Licensee has determined that the Nonpublic Information has not been used or released and has been returned or destroyed. Notification to the Commissioner of the domicile or home state, and any other state where 250 or more impacted insureds reside, is required within 72 hours from determining a Cybersecurity Event has occurred. Notification to affected consumers is governed by the state general data breach notification laws with copies of such notices provided to the Commissioner.
A Licensee is required to certify to the Commissioner annually (no later than February 15) that it is in compliance with the requirements of "Section 4 – Information Security Program," as well as maintain the materials and documentation used to support the certification for five years.
The Data Security Model Law provides for three exceptions from the Section 4 ISP requirements: a Licensee with fewer than 10 employees (including independent contractors), Licensees who certify in writing that they have established and maintain an ISP that meets HIPAA requirements, and a Licensee who is an employee, agent, representative, or designee of another Licensee, but is covered by that Licensee's ISP as long as that program complies with Section 4.
After evolving through multiple versions and considering a multitude of comments from the insurance industry and interested parties, Version 6 of the Model significantly tracks New York's Cybersecurity Regulation ("NY Regulation"). Importantly, the Model includes a drafting note indicating that the Cybersecurity WG intends compliance with NY Regulation to satisfy the Model's requirements. The note states "The drafters of this Act intend that if a Licensee, as defined in Section 3, is in compliance with N.Y. Comp. Codes R. & Regs. tit.23, § 500, Cybersecurity Requirements for Financial Services Companies, effective March 1, 2017, such Licensee is also in compliance with this Act."
Examples of some major similarities with the NY Regulation include:
- Several similar definitions such as: Cybersecurity Event, Information System, Multi-Factor Authentication, Nonpublic Information, Person, and Publicly Available Information. Unlike the Model, it is important to note that the New York Regulation covers electronic information only, and, with respect to the Cybersecurity Event definition includes "any act or attempt, successful or unsuccessful".
- Both the Model and the NY Regulation require that the Licensee perform a risk assessment.
- Written policies and procedures addressing the ISP, third-party vendor management and incident response.
- Annual reporting to the board of directors, or similar authority, by the person responsible for an Information Security Program.
- Requirement to ensure the use of secure development practices for in-house developed applications and procedures for evaluating, assessing or testing the security of externally developed applications.
- Notification to the Commissioner as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred.
- Annual documentation of compliance with the ISP.
- An exemption for Licensees with fewer than 10 employees.
While many industry participants view the inclusion of the NY
Regulation concepts as a positive development, there is still
industry concern regarding several aspects of the Model, including
but not limited to, its confidentiality provisions and notice
Carlton Fields Jorden Burt, P.A. will continue to monitor the Data Security Model Law's progress, including whether eventual state adoption of the Model is uniform and includes the New York safe harbor intended by the Cybersecurity WG.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.