Ohio and Michigan Adopt NAIC Model Law; Five Other States Set to Do the Same

The National Association of Insurance Commissioners (NAIC) established its own standards, known as the NAIC Insurance Data Security Model Law.
By Rob Boyce Posted on April 4, 2019

This model law, which establishes data security and data breach investigation and resolution standards across the insurance industry, closely follows the New York Department of Financial Services’ Cybersecurity Rule: both laws obligate insurance companies to maintain appropriate data security standards to protect their customer data, and they impose an onerous breach notification time frame of 72 hours after a breach has been discovered.

As recently as September 2018, only one state, South Carolina, had adopted the NAIC law in its entirety. But recently, more states have shown movement toward enacting legislation that either follows the NAIC law closely or departs from it in a few relatively minor ways. Ohio and Michigan now join South Carolina as adopters of the NAIC law, and versions of it have been introduced in Connecticut, Mississippi, Nevada, Rhode Island and New Hampshire legislatures.

Ohio and Michigan’s versions of the law both differentiate from the NAIC model law in specific areas. Both Ohio and Michigan extended the breach notification deadline from 72 hours to 3 business days and 10 days, respectively. Legislators in both states also broadened exemptions to the law for small licensees. Under the NAIC law, licensees with 10 or fewer employees are exempt from its requirements, while Ohio’s law exempts those licensees with 20 or fewer employees, and Michigan’s exempts licensees with 25 or fewer employees.

Additionally, if a licensee can prove it has satisfied the new law’s requirements, Ohio’s law also provides a legal safe harbor for insurance licensees against lawsuits that allege insufficient cybersecurity measures on the part of the licensees caused a data breach. Ohio’s law also narrows the definition of a “cybersecurity event” by requiring that the event not only stem from unauthorized access or misuse of information but also have “a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee.”

More in P&C

Premium Increases Flat to Down
P&C Premium Increases Flat to Down
The Council’s Commercial P/C Market Index for Q1 is here.
P&C A Mosaic of an Insurance Claim
The marine insurance industry can withstand Baltimore bridge catastrophe, expert...
Power Play
P&C Power Play
Insurers and insureds alike must face the glaring risks and vulnerabilities in t...
Property & Casualty Hard Market Turns 6
P&C Property & Casualty Hard Market Turns 6
It may not happen immediately, but signs point to softening of P&C rates.
Small Business Cyber Risk Represents a Big Opportunity for Agents
P&C Small Business Cyber Risk Represents a Big Opportunity for Agents
Q&A with Joshua Parrish, Executive Vice President at RT Spec...
Sponsored By RT Specialty
Broker Playbook for Flood Risk
P&C Broker Playbook for Flood Risk
Your clients must take steps to mitigate, prepare for and qu...