P&C

Ohio and Michigan Adopt NAIC Model Law; Five Other States Set to Do the Same

The National Association of Insurance Commissioners (NAIC) established its own standards, known as the NAIC Insurance Data Security Model Law.
By Rob Boyce Posted on April 4, 2019

This model law, which establishes data security and data breach investigation and resolution standards across the insurance industry, closely follows the New York Department of Financial Services’ Cybersecurity Rule: both laws obligate insurance companies to maintain appropriate data security standards to protect their customer data, and they impose an onerous breach notification time frame of 72 hours after a breach has been discovered.

As recently as September 2018, only one state, South Carolina, had adopted the NAIC law in its entirety. But recently, more states have shown movement toward enacting legislation that either follows the NAIC law closely or departs from it in a few relatively minor ways. Ohio and Michigan now join South Carolina as adopters of the NAIC law, and versions of it have been introduced in Connecticut, Mississippi, Nevada, Rhode Island and New Hampshire legislatures.

Ohio and Michigan’s versions of the law both differentiate from the NAIC model law in specific areas. Both Ohio and Michigan extended the breach notification deadline from 72 hours to 3 business days and 10 days, respectively. Legislators in both states also broadened exemptions to the law for small licensees. Under the NAIC law, licensees with 10 or fewer employees are exempt from its requirements, while Ohio’s law exempts those licensees with 20 or fewer employees, and Michigan’s exempts licensees with 25 or fewer employees.

Additionally, if a licensee can prove it has satisfied the new law’s requirements, Ohio’s law also provides a legal safe harbor for insurance licensees against lawsuits that allege insufficient cybersecurity measures on the part of the licensees caused a data breach. Ohio’s law also narrows the definition of a “cybersecurity event” by requiring that the event not only stem from unauthorized access or misuse of information but also have “a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee.”

Rob Boyce Director, Market Intelligence & Insights Read More

More in P&C

The Results Are In: Commercial P/C Market Survey Q4 2020
P&C The Results Are In: Commercial P/C Market Survey Q4 2020
Get the highlights of The Council's latest survey in under 90 seconds.
P&C Taming the Casualty Industry
Q&A with Robert Reville, CEO, Praedicat
Congress Considers Infrastructure Package
P&C Congress Considers Infrastructure Package
Without bipartisan support, what alternatives are there for rebuilding, and wher...
Capacity with a Different View
P&C Capacity with a Different View
Q&A with Mario Vitale, President, Resilience Insurance
Sponsored By Resilience
Rethinking the Supply Chain
P&C Rethinking the Supply Chain
Indie Source avoids global supply chain bottlenecks with sma...
The Last Mile
P&C The Last Mile
Now that we have COVID-19 vaccines, what will it take to ens...