Who should care: DBAs, heads of IT, and CTOs/CIOs in the insurance industry
The NAIC Insurance Data Security Model Law is relevant to data folks and leadership at all insurance companies operating in the United States.
Although this law is currently implemented only in selected states, the US Treasury Department has recommended prompt adoption of this model by states.
If the NAIC Insurance Data Security Model Law does not result in uniform regulation across the states, the Treasury Department recommends Congress to pass Federal legislation.
What does the NAIC Insurance Data Security Model mean?
The NAIC Insurance Data Security model…
requires insurers and other entities licensed by a state department of insurance to develop, implement, and maintain an information security program based on its risk assessment, with a designated employee in charge of the information security program
Good news: the information security program is outlined in a quite readable format in the model itself.
In Section 4, it explains the objects of the program and that the program should include:
- Risk assessment – including identifying both internal and external threads
- Risk management – including protecting nonpublic information (aka sensitive data) via access control implementation, encryption requirements, and adopting secure development requirements
- Oversight – by Board of Directors and via arrangements with Third-Party Service Providers
- Adjustments over time
- Incident response plans
- Annual Certifications to the Commissioner of the Domiciliary State
States which have adopted the NAIC Insurance Data Security Model Law
As of October 2020, the NAIC Insurance Data Security Model Law has been adopted in 11 states:
|Alabama||ALA. CODE §§ 27-62-1 to 27-62-12 (2019)|
|Connecticut||CONN. GEN. STAT. ANN. § 38a-38 (2020)|
|Delaware||DEL. CODE ANN. tit. 18, §§ 8601 to 8611 (2019)|
|Indiana||IND. CODE ANN. §§ 27-2-27-1 to 27-2-27-32 (2020) (portions of model)|
|Louisiana||H.B. 614 (2020)|
|Michigan||MICH. COMP. LAWS §§ 500.550 to 500.565 (2018)|
|Mississippi||MISS. CODE ANN. §§ 83-5-801 to 83-5-825 (2019)|
|New Hampshire||N.H. REV. STAT. ANN. §§ 420-P:1 to 420-P:14; §§ 309:2 to 309:3 (2019)|
|Ohio||OHIO REV. CODE ANN. §§ 3965.01 to 3965.11 (2018).|
|South Carolina||S.C. CODE ANN. §§ 38-99-10 to 38-99-100 (2018).|
|Virginia||VA. CODE ANN. §§ 38.2-621 to 38.2-629 (2020).|
Additionally, Maryland, New York, and Puerto Rico have implemented either older or similar models or administrative guidance.
To learn more about this regulation and how to protect sensitive data:
- Download the State Legislative Brief from NAIC — a convenient, shareable document summarizing the background and key points of the NAIC Insurance Data Security Model
- Check out the Insurance Data Security Model Law itself – at just over 10 pages for the model law itself, this is not too painful to read through
- Learn more from articles in our Audit and Compliance section
Was this article helpful?