Ohio and Michigan Adopt NAIC Model Law; Five Other States Set to Do the Same
The National Association of Insurance Commissioners (NAIC) established its own standards, known as the NAIC Insurance Data Security Model Law.
More states have shown movement toward enacting legislation that either follows the NAIC law closely or departs from it in a few relatively minor ways.
This model law, which establishes data security and data breach investigation and resolution standards across the insurance industry, closely follows the New York Department of Financial Services’ Cybersecurity Rule: both laws obligate insurance companies to maintain appropriate data security standards to protect their customer data, and they impose an onerous breach notification time frame of 72 hours after a breach has been discovered.
As recently as September 2018, only one state, South Carolina, had adopted the NAIC law in its entirety. But recently, more states have shown movement toward enacting legislation that either follows the NAIC law closely or departs from it in a few relatively minor ways. Ohio and Michigan now join South Carolina as adopters of the NAIC law, and versions of it have been introduced in Connecticut, Mississippi, Nevada, Rhode Island and New Hampshire legislatures.
Ohio and Michigan’s versions of the law both differentiate from the NAIC model law in specific areas. Both Ohio and Michigan extended the breach notification deadline from 72 hours to 3 business days and 10 days, respectively. Legislators in both states also broadened exemptions to the law for small licensees. Under the NAIC law, licensees with 10 or fewer employees are exempt from its requirements, while Ohio’s law exempts those licensees with 20 or fewer employees, and Michigan’s exempts licensees with 25 or fewer employees.
Additionally, if a licensee can prove it has satisfied the new law’s requirements, Ohio’s law also provides a legal safe harbor for insurance licensees against lawsuits that allege insufficient cybersecurity measures on the part of the licensees caused a data breach. Ohio’s law also narrows the definition of a “cybersecurity event” by requiring that the event not only stem from unauthorized access or misuse of information but also have “a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee.”
