The NAIC Insurance Data Security Model Law: What You Need to Know
If you work in the insurance industry, you need to know about the NAIC Insurance Data Security Model Law. In this post we give you an overview of the security model, a list of adopting states (so far), and links to learn more.
Who should care: DBAs, heads of IT, and CTOs/CIOs in the insurance industry
Who should care: DBAs, heads of IT, and CTOs/CIOs in the insurance industryThe NAIC Insurance Data Security Model Law is relevant to data folks and leadership at all insurance companies operating in the United States.
Although this law is currently implemented only in selected states, the US Treasury Department has recommended prompt adoption of this model by states.
If the NAIC Insurance Data Security Model Law does not result in uniform regulation across the states, the Treasury Department recommends Congress to pass Federal legislation.
What does the NAIC Insurance Data Security Model mean?
The NAIC Insurance Data Security model…
requires insurers and other entities licensed by a state department of insurance to develop, implement, and maintain an information security program based on its risk assessment, with a designated employee in charge of the information security program
Good news: the information security program is outlined in a quite readable format in the model itself.
In Section 4, it explains the objects of the program and that the program should include:
- Risk assessment – including identifying both internal and external threads
- Risk management – including protecting nonpublic information (aka sensitive data) via access control implementation, encryption requirements, and adopting secure development requirements
- Oversight – by Board of Directors and via arrangements with Third-Party Service Providers
- Adjustments over time
- Incident response plans
- Annual Certifications to the Commissioner of the Domiciliary State
States which have adopted the NAIC Insurance Data Security Model Law
As of October 2020, the NAIC Insurance Data Security Model Law has been adopted in 11 states:
| State | Model Adoption |
|---|---|
| Alabama | ALA. CODE §§ 27-62-1 to 27-62-12 (2019) |
| Connecticut | CONN. GEN. STAT. ANN. § 38a-38 (2020) |
| Delaware | DEL. CODE ANN. tit. 18, §§ 8601 to 8611 (2019) |
| Indiana | IND. CODE ANN. §§ 27-2-27-1 to 27-2-27-32 (2020) (portions of model) |
| Louisiana | H.B. 614 (2020) |
| Michigan | MICH. COMP. LAWS §§ 500.550 to 500.565 (2018) |
| Mississippi | MISS. CODE ANN. §§ 83-5-801 to 83-5-825 (2019) |
| New Hampshire | N.H. REV. STAT. ANN. §§ 420-P:1 to 420-P:14; §§ 309:2 to 309:3 (2019) |
| Ohio | OHIO REV. CODE ANN. §§ 3965.01 to 3965.11 (2018). |
| South Carolina | S.C. CODE ANN. §§ 38-99-10 to 38-99-100 (2018). |
| Virginia | VA. CODE ANN. §§ 38.2-621 to 38.2-629 (2020). |
Additionally, Maryland, New York, and Puerto Rico have implemented either older or similar models or administrative guidance.
Further learning
To learn more about this regulation and how to protect sensitive data:
- Download the State Legislative Brief from NAIC — a convenient, shareable document summarizing the background and key points of the NAIC Insurance Data Security Model
- Check out the Insurance Data Security Model Law itself – at just over 10 pages for the model law itself, this is not too painful to read through
- Learn more from articles in our Audit and Compliance section
You may also like
Blog
Using the new Flyway Diff commands
Blog