On October 24, 2017, the National Association of Insurance Commissioners (the “NAIC”) adopted the Insurance Data Security Model Law (the “Model Law”). According to the NAIC’s press release, the purpose of the Model Law is to provide “rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach.” The NAIC is a U.S. standard-setting and regulatory support organization composed of state-level insurance regulators, and the Model Law is non-mandatory, model legislation that states must voluntarily adopt in order for it to be enforceable. Importantly, based on a Drafting Note in the Model Law, the drafters intended for entities that are in compliance with the New York State Department of Financial Services (the “DFS”) Cybersecurity Regulations, which apply to DFS-licensed banks and insurance companies operating in New York, to automatically also be in compliance with the Model Law. Similar to the DFS’s Cybersecurity Regulations, the Model Law sets forth standards for data security, as well as the response to, and notification of, data breach incidents.
While the Model Law specifically seeks to protect consumers of insurance products, its promulgation, along with the recent announcement of enhanced penalties for data breaches in the SHIELD Act as proposed last week by the New York Office of the Attorney General, further evidences the growing concerns surrounding the protection of consumer data and security. The Model Law also demonstrates the “domino effect” that can occur when one regulatory authority (here, the DFS) imposes certain requirements that then influence the approach taken by other regulatory authorities and support organizations (here, the NAIC).