Printed from BusinessInsurance.com

NAIC cyber security model law hews to New York state's standard

Posted On: Sep. 4, 2017 12:00 AM CST

The National Association of Insurance Commissioners is moving closer to adopting an Insurance Data Security Model Law that closely follows New York’s cyber security regulation, which took effect in March.

The model law, the sixth version of which was adopted by the Cybersecurity Working Group and Innovation and

Technology task force at the NAIC’s summer meeting in Philadelphia in August, establishes industry standards for data security that will apply to a broad range of parties, including insurers, agents and brokers.

Organizations will be required to have a written information security program for protecting sensitive data, including incident response and data recovery plans to demonstrate their preparedness for cyber events. Companies will have to certify compliance annually to their state insurance commissioners and notify commissioners of data breaches within 72 hours of a cyber security event.

The American Insurance Association was pleased the adopted model law is risk-based and consistent with New York’s cyber security law, said Angela Gleason, AIA’s senior counsel in Washington.

“A lot of companies are already implementing New York, and to have to do something that is different is just not good for consumers or licensees,” she said.

The biggest change was the removal of consumer notification elements featured in previous versions, Ms. Gleason said.

Ceding insurers with a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under a state’s breach notification law, according to the adopted version.

The model law will advance to the NAIC’s Executive Committee and Plenary during its Fall 2017 National Meeting in December, with adoption likely despite the objections of states such as Utah.

NAIC adoption would be followed by consideration by state legislatures, which would “look remiss if they didn’t address” the cyber threat, said Jean Connolly, Cleveland-based managing director of PricewaterhouseCooper L.L.P.’s national professional services group. “I just think this one has more forward momentum than lots of other model laws that some might say are just more regulation.”