Model Law Moving
The insurance data security model law adopted in October by the National Association of Insurance Commissioners moves to the states in 2018, and South Carolina is likely to be among the first to take it up, says South Carolina insurance director Raymond Farmer, chair of the NAIC’s Cybersecurity (EX) Working Group.
“I have heard of several others that will give it strong consideration as well,” Farmer says.
Many states have already set their legislative agendas for the coming year, and consideration would likely have to wait until later sessions.
The model law, which would apply to insurers, agents, and other licensed individuals in states that adopt it, would set requirements for insurers, agents and brokers to help prevent breaches as well as actions to take in the event of a cyber attack. The NAIC model law has many similarities to the New York state cyber-security regulations for financial institutions that took effect last March and cover banks and other financial institutions as well as the insurance industry.
The NAIC model law would require licensees to conduct cyber risk assessments; to mitigate the identified risks; to establish an oversight committee; and to exercise due diligence in selecting third-party vendors. The law also mandates companies develop written incident response plans and certify annually that they are in compliance with the requirements.
“The model does address a number of issues,” Farmer says. “It provides for the implementation of an information security program. It provides for the investigation of cyber-security events and notification to the state insurance regulator about the breach itself. That has to be done within 72 hours.”
That notification would include the date, duration and extent of a breach, the information involved, remediation efforts and an estimate of the total number of consumers affected.
Because some 48 states already have consumer notification laws, the final version of the model law states that licensees shall comply with existing state laws and provide a copy of the notification to the state insurance commissioner.
“We didn’t reinvent that wheel,” Farmer says.
The law recognizes many agencies are small businesses and exempts from the information security program requirements those businesses with fewer than 10 employees and licensees who are compliant with HIPAA privacy standards.
The development of the model law was punctuated by two of the largest data breaches ever. The NAIC announced its cyber-security task force in late 2014, just before health insurer Anthem announced a data breach that affected more than 78 million customers. The adoption of the model law itself came just weeks after credit-reporting agency Equifax announced as many as 143 million Americans had their personal financial information exposed. Anthem later reached a $115 million settlement in litigation arising out of the 2015 hacking incident.
Even small business needs to protect itself against breaches, which can be very costly, Farmer says. The Ponemon Institute estimates the global average cost of a data breach at $3.62 million and the average cost of each lost or stolen record at $141.