On Oct. 24, the National Association of Insurance Commissioners (NAIC) formally approved the Insurance Data Security Model Law (model law). The NAIC is a standard setting and regulatory support organization consisting of the top insurance regulators from the 50 states, District of Columbia, and five U.S. territories. The model law applies to “licensees” which are defined as persons and nongovernmental business entities subject to the insurance laws of the state adopting the model law. In Pennsylvania, for example, this would encompass insurance companies and insurance producers (i.e., agents, agencies and brokers). Notably, this applies to nonresident licensees except for purchasing groups, risk retention groups or when acting as assuming insurer. For example, a broker resident in a state that has not adopted the model law, is potentially subject to the model law if they are also licensed in another state that has adopted the model law. Thus, it will be important to track what states enact the model law and also how uniformly the model law is enacted state to state.

The intent of the model law is to establish standards for data security, the investigation of cybersecurity events and notification of the commissioner of cybersecurity events. In order to understand how the model law attempts to meet those objectives it is necessary to understand how the model law has defined the different elements that are involved in cybersecurity. A cybersecurity event is defined as “an event resulting in unauthorized access to, disruption or misuses of, an information system or information stored on such information system.” Information system is defined broadly as “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information …” and expressly includes “specialized systems such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.” This broad definition encompasses both traditional computer networks and devices, but also other machines that fall under the rubric “the internet of things” and systems such as HVAC systems which have been the entry point for hackers in notable data breaches. Information security program means “the administrative, technical and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of or otherwise handle nonpublic Information.”

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]