The National Association of Insurance Commissioners’ (NAIC) Cybersecurity Task Force released a revised draft of the Insurance Data Security Model Law (Model Law) last week. The Model Law’s goal is to “establish exclusive standards… for data security and investigation and notification of a data breach” for “any person or entity licensed, authorized to operate, or registered” pursuant to state insurance laws. The first draft Model Law was released in April of this year and received over 40 comments from trade associations, market participants and regulators.
The first draft was started as a compilation of four previously released guidelines, with implementation of specific practices and penalties. The first draft incorporated elements of the Insurance Information and Privacy Protection Model Act and the Privacy of Consumer Financial and Health Information Regulation, and the Principles for Effective Cybersecurity: Insurance Regulatory Guidance and the NAIC Roadmap for Cybersecurity Consumer Protections. With the release of the first draft Model Law came many criticisms. NAIC members expressed concerns about: (1) certain prescriptive security measures that insurance companies were expected to incorporate into their information security programs; (2) the requirement that insurance companies compel third-party service providers to agree by contract to certain data security provisions; (3) the timing, substance, and procedure for notifying consumers of a data breach; and (4) consumer remedies following a data breach, such as regulatory remedies and a private right of action.
Now, after reviewing the comments received in response to the first draft Model Law, the NAIC has released a revised draft after its NAIC National Summer Meeting, where the Task Force met with interested parties to discuss comments on this revised draft. Written comments to the revised Model Law may be submitted by September 16, 2016.