P&C Technosavvy the Jan/Feb 2018 issue

Model Law Moving

The NAIC data security model law moves to the states.
By Michael Fitzpatrick Posted on February 21, 2018

“I have heard of several others that will give it strong consideration as well,” Farmer says.

Many states have already set their legislative agendas for the coming year, and consideration would likely have to wait until later sessions.

The model law, which would apply to insurers, agents, and other licensed individuals in states that adopt it, would set requirements for insurers, agents and brokers to help prevent breaches as well as actions to take in the event of a cyber attack. The NAIC model law has many similarities to the New York state cyber-security regulations for financial institutions that took effect last March and cover banks and other financial institutions as well as the insurance industry.

The NAIC model law would require licensees to conduct cyber risk assessments; to mitigate the identified risks; to establish an oversight committee; and to exercise due diligence in selecting third-party vendors. The law also mandates companies develop written incident response plans and certify annually that they are in compliance with the requirements.

“The model does address a number of issues,” Farmer says. “It provides for the implementation of an information security program. It provides for the investigation of cyber-security events and notification to the state insurance regulator about the breach itself. That has to be done within 72 hours.”

That notification would include the date, duration and extent of a breach, the information involved, remediation efforts and an estimate of the total number of consumers affected.

Because some 48 states already have consumer notification laws, the final version of the model law states that licensees shall comply with existing state laws and provide a copy of the notification to the state insurance commissioner.

“We didn’t reinvent that wheel,” Farmer says.

The law recognizes many agencies are small businesses and exempts from the information security program requirements those businesses with fewer than 10 employees and licensees who are compliant with HIPAA privacy standards.

The development of the model law was punctuated by two of the largest data breaches ever. The NAIC announced its cyber-security task force in late 2014, just before health insurer Anthem announced a data breach that affected more than 78 million customers. The adoption of the model law itself came just weeks after credit-reporting agency Equifax announced as many as 143 million Americans had their personal financial information exposed. Anthem later reached a $115 million settlement in litigation arising out of the 2015 hacking incident.

Even small business needs to protect itself against breaches, which can be very costly, Farmer says. The Ponemon Institute estimates the global average cost of a data breach at $3.62 million and the average cost of each lost or stolen record at $141.

Michael Fitzpatrick Technology Editor Read More

More in P&C

Weathering Cyber Storms
P&C Weathering Cyber Storms
Q&A with Joshua Motta, CEO and Co-Founder, Coalition
P&C Certified Cybersecurity
HITRUST certification can give small to medium-sized businesses peace of mind th...
Changing Weather Patterns Demand New Property Insurance Solutions
P&C Changing Weather Patterns Demand New Property Insurance Solutions
Q&A with Don Doyle Jr., Senior Vice President, Excess & Surplus Lines, and Dawn ...
Sponsored By Cincinnati Insurance
Wind vs. Water
P&C Wind vs. Water
The National Flood Insurance Program has lasted far longer than intended. Withou...
Balancing Costs and Coverage
P&C Balancing Costs and Coverage
As premises liability claims costs rise, the industry must f...
Sponsored By Nationwide
Saving Lives
P&C Saving Lives
Strong prevention components to active shooter policies can ...