NAIC cyber security model law to be released in 2017Reprints
MIAMI — The third and final draft of the National Association of Insurance Commissioners’ cyber security model law won’t be ready for consideration until 2017, according to South Carolina Insurance Director Ray Farmer, the vice chair of the NAIC’s cyber security task force.
NAIC’s cyber security task force released an updated draft Insurance Data Security Model Law in August that was to be considered for possible approval at the organization’s fall meeting in Miami this past weekend. However, stakeholder feedback made it clear that additional work needed to be done to reach consensus on the draft, said Rhode Island Superintendent of Banking and Insurance Elizabeth Dwyer, a member of the task force.
The model law, which the task force began drafting in March 2016, would establish standards for data security and investigation and notification of a data breach and would apply to licensees, which includes not just insurers, but agents, brokers and other parties. It would require these organizations to create a comprehensive written information security program that details the administrative, technical and physical safeguards for protecting personal information. It would also require a licensee’s board of directors to approve and oversee implementation of the program and compliance with the law.
NAIC’s intention in developing this model law was to establish more uniformity across state laws and regulations, but stakeholders stated that this objective was somewhat undermined by the fact that the draft specifically stated it does not supersede existing state laws or regulations.
The ad hoc drafting group, led by Ms. Dwyer and Anne Melissa Dowling, acting director of the Illinois Department of Insurance, will move the process forward by engaging in discussions with interested parties with an eye toward reaching consensus on proposals to be considered by the full cyber security task force.
Ms. Dwyer said six issues require consensus to move forward: how to address state uniformity and exclusivity of the law; whether and how to include exemptions for licensees subject to the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act; whether to include a harm trigger in the definition of data breach; how to define personal information; how to address scale, quality of information and security requirements for smaller licensees; and how to address licensee oversight of third-party service providers.
North Dakota Commissioner Adam Hamm, chair of the cyber security task force and a major proponent of the model law, will be stepping down from his position next year. Mr. Farmer thanked Mr. Hamm for “your leadership, your stubbornness” and credited him with much of the progress made by the cyber security task force.
These efforts included the April 2015 issuance of cyber security principles aimed at encouraging state insurance regulators to incorporate particular elements into their cyber security regulatory frameworks and to ensure adequate protection of all personally identifiable information held by insurers, producers, other regulated entities and third-party service providers, followed by the issuance of the cyber security roadmap that outlined consumer protections for cyber security breaches.