P&C Technosavvy the Jan/Feb 2018 issue

Model Law Moving

The NAIC data security model law moves to the states.
By Michael Fitzpatrick Posted on February 21, 2018

“I have heard of several others that will give it strong consideration as well,” Farmer says.

Many states have already set their legislative agendas for the coming year, and consideration would likely have to wait until later sessions.

The model law, which would apply to insurers, agents, and other licensed individuals in states that adopt it, would set requirements for insurers, agents and brokers to help prevent breaches as well as actions to take in the event of a cyber attack. The NAIC model law has many similarities to the New York state cyber-security regulations for financial institutions that took effect last March and cover banks and other financial institutions as well as the insurance industry.

The NAIC model law would require licensees to conduct cyber risk assessments; to mitigate the identified risks; to establish an oversight committee; and to exercise due diligence in selecting third-party vendors. The law also mandates companies develop written incident response plans and certify annually that they are in compliance with the requirements.

“The model does address a number of issues,” Farmer says. “It provides for the implementation of an information security program. It provides for the investigation of cyber-security events and notification to the state insurance regulator about the breach itself. That has to be done within 72 hours.”

That notification would include the date, duration and extent of a breach, the information involved, remediation efforts and an estimate of the total number of consumers affected.

Because some 48 states already have consumer notification laws, the final version of the model law states that licensees shall comply with existing state laws and provide a copy of the notification to the state insurance commissioner.

“We didn’t reinvent that wheel,” Farmer says.

The law recognizes many agencies are small businesses and exempts from the information security program requirements those businesses with fewer than 10 employees and licensees who are compliant with HIPAA privacy standards.

The development of the model law was punctuated by two of the largest data breaches ever. The NAIC announced its cyber-security task force in late 2014, just before health insurer Anthem announced a data breach that affected more than 78 million customers. The adoption of the model law itself came just weeks after credit-reporting agency Equifax announced as many as 143 million Americans had their personal financial information exposed. Anthem later reached a $115 million settlement in litigation arising out of the 2015 hacking incident.

Even small business needs to protect itself against breaches, which can be very costly, Farmer says. The Ponemon Institute estimates the global average cost of a data breach at $3.62 million and the average cost of each lost or stolen record at $141.

Michael Fitzpatrick Technology Editor Read More

More in P&C

Protect Your Pet
P&C Protect Your Pet

Pet insurance has become a multibillion-dollar global industry, but it has plenty of room to grow.

P&C Premium Increases Flat to Down
The Council’s Commercial P/C Market Index for Q1 is here.
A Mosaic of an Insurance Claim
P&C A Mosaic of an Insurance Claim
The marine insurance industry can withstand Baltimore bridge catastrophe, expert...
Power Play
P&C Power Play
Insurers and insureds alike must face the glaring risks and vulnerabilities in t...
Property & Casualty Hard Market Turns 6
P&C Property & Casualty Hard Market Turns 6
It may not happen immediately, but signs point to softening ...
Small Business Cyber Risk Represents a Big Opportunity for Agents
P&C Small Business Cyber Risk Represents a Big Opportunity for Agents
Q&A with Joshua Parrish, Executive Vice President at RT Spec...
Sponsored By RT Specialty