Hackers are not going away. Media reports of massive data breaches at banks, retailers, credit card companies, credit bureaus, and others have become a near-daily occurrence. And insurance companies collect large amounts of sensitive, non-public information, including personally-identifying information. There is little doubt that insurers are ripe targets for cyberattacks.
As a result, in 2014 the National Association of Insurance Commissioners (“NAIC”) adopted a Data Security Model Law (“Model Law”), with the goal of having it adopted in all fifty states. While that has not happened, eight states have adopted a version of the NAIC Model Law, and many others are considering adopting it wholesale or a version of it.
The provisions of the Model Law are relatively straightforward: it applies to “licensees” of a given state, and licensees are defined in the Model Law as “any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State …” This means large carriers, small independent adjusters, and individuals and businesses providing insurance-related services such as agency or brokerage services. Arguably, it could even apply to non-insurers who are “licensed” in the State and offer rinsurance, such as rental car companies or travel agents! There are some limited carve-outs, such as small employers (less than 10 employees) being exempt from having and maintaining an information security program – but this is not to say that are exempt from the rest of the Model Law’s requirements, such as notification in the event of a data breach.
The Model Law requires implementation of an information security program, and contains provisions governing data breach investigations and notifications, as well as authorizing the regulatory agencies with enforcing same. It is important to note that the Model Law aims to protect more than “personal information” – it seeks to protect “nonpublic information” which is inclusive of and broader than “personal information” as typically defined. In practice, “nonpublic information” means information that, in the event of an unauthorized disclosure, would have a materially adverse impact on the licensee’s business, operations, or security. “Nonpublic information” includes certain standard pieces of “personal information” such as social security number, account and credit card numbers, etc., but reaches other nonpublic data as well.
The Model Law was adopted, in whole or in part, in South Carolina, Ohio, and Michigan in 2018. So far in 2019, Mississippi, Alabama, Delaware, Connecticut, and New Hampshire have adopted versions of it. In 2019, at least 43 states and Puerto Rico considered a combined 300 bills relating to cybersecurity, a significant number of them based on the Model Law.
Legislation to adopt the Model Law was introduced in 2018 in the Rhode Island legislature but did not emerge from committee. In 2019, a similar Senate bill failed again. That said, there is significant wind at the sails of the legislation nationwide, and it is expected that through the remainder of 2019 and into 2020, a number of additional states will adopt some version of the Model Law. If South Carolina and the other early-adopter states are any indication, as more states implement similar statutory regimes, licensees may have as short as twelve (12) months from the date of enactment to implement compliant information security programs. Given the amount of work that developing such a program entails, licensees may find themselves scrambling to comply despite the warning signs that stricter legislation was coming.
Ideally, both to avoid the horror of a full-scale data breach and to prepare for the inevitable regulatory scheme, impacted entities should consider remaining ahead of the curve by adopting an information security program now.
A version of this article appeared in The Anchor Fall 2019.