The NAIC Insurance Data Security Model Law: What You Need to Know

If you work in the insurance industry, you need to know about the NAIC Insurance Data Security Model Law. In this post we give you an overview of the security model, a list of adopting states (so far), and links to learn more.

Who should care: DBAs, heads of IT, and CTOs/CIOs in the insurance industry

The NAIC Insurance Data Security Model Law is relevant to data folks and leadership at all insurance companies operating in the United States.

Although this law is currently implemented only in selected states, the US Treasury Department has recommended prompt adoption of this model by states.

If the NAIC Insurance Data Security Model Law does not result in uniform regulation across the states, the Treasury Department recommends Congress to pass Federal legislation.

What does the NAIC Insurance Data Security Model mean?

The NAIC Insurance Data Security model…

requires insurers and other entities licensed by a state department of insurance to develop, implement, and maintain an information security program based on its risk assessment, with a designated employee in charge of the information security program

State Legislative Brief, NAIC, June 2020

Good news: the information security program is outlined in a quite readable format in the model itself.

In Section 4, it explains the objects of the program and that the program should include:

  • Risk assessment – including identifying both internal and external threads
  • Risk management – including protecting nonpublic information (aka sensitive data) via access control implementation, encryption requirements, and adopting secure development requirements
  • Oversight – by Board of Directors and via arrangements with Third-Party Service Providers
  • Adjustments over time
  • Incident response plans
  • Annual Certifications to the Commissioner of the Domiciliary State

States which have adopted the NAIC Insurance Data Security Model Law

As of October 2020, the NAIC Insurance Data Security Model Law has been adopted in 11 states:

State Model Adoption
Alabama ALA. CODE §§ 27-62-1 to 27-62-12 (2019)
Connecticut CONN. GEN. STAT. ANN. § 38a-38 (2020)
Delaware DEL. CODE ANN. tit. 18, §§ 8601 to 8611 (2019)
Indiana IND. CODE ANN. §§ 27-2-27-1 to 27-2-27-32 (2020) (portions of model)
Louisiana H.B. 614 (2020)
Michigan MICH. COMP. LAWS §§ 500.550 to 500.565 (2018)
Mississippi MISS. CODE ANN. §§ 83-5-801 to 83-5-825 (2019)
New Hampshire N.H. REV. STAT. ANN. §§ 420-P:1 to 420-P:14; §§ 309:2 to 309:3 (2019)
Ohio OHIO REV. CODE ANN. §§ 3965.01 to 3965.11 (2018).
South Carolina S.C. CODE ANN. §§ 38-99-10 to 38-99-100 (2018).
Virginia VA. CODE ANN. §§ 38.2-621 to 38.2-629 (2020).

Additionally, Maryland, New York, and Puerto Rico have implemented either older or similar models or administrative guidance.

Further learning

To learn more about this regulation and how to protect sensitive data: