March 1, 2018
Rudy Verner and Rylee Johnston
On Oct. 24, 2017, the National Association of Insurance Commissioners (NAIC), a regulatory support organization consisting of the top insurance regulators from every state, formally approved the Insurance Data Security Model Law (Model Law). The Model Law creates rules for insurers and other regulated insurance entities surrounding the maintenance of an information security program based on ongoing risk assessment, data breach investigations, and notification protocol in response to data breaches.
The Model Law includes some of the most comprehensive and stringent data breach notification requirements in the relatively new industry of data breach insurance policies. For example, under the Model Law, when a data breach affects more than 1,000 consumers, insurers are required to notify law enforcement, state insurance commissioners, credit reporting agencies, and compromised consumers. In response to recent high-profile data-breaches, NAIC President and Wisconsin Insurance Commissioner, Ted Nickel, applauded the Model Rule, noting: “Regulators have a critical role to play in protecting consumers as the cyber landscape continues to evolve and this model law sets cybersecurity customs for insurers to help safeguard consumers.”
Upon adoption by state authorities, the Model Law is expected to bring a more uniform and predictable handling of data security breaches to the insurance industry. At the federal level, the Treasury Department, in its November 2017 Report on Asset Management and Insurance, endorsed the Model Law and recommended that Congress preempt state laws if the Model Law is not adopted in the next five years. In addition to the NAIC’s work, Congress is working on several other legislative proposals relating to data security for consumers, some of which would preempt state law.
One thing is clear – widespread data breaches have attracted the attention of more people than just consumers. Lawmakers and insurance commissioners will continue to implement regulations to address the ongoing cybersecurity issues that will inevitably drive the formation of an entirely new cyber security insurance industry. The NAIC’s Model Rule marks a significant step towards the development of a more uniformstate-by-state, regulatory data-breach notification framework. Lawyers and policyholders will certainty play a critical role in navigating the stringent data security, investigation, and post-breach notification requirements under the Model Rule and any new state laws enacted in response to the Model Law.
If you have any questions regarding data security or data breach law, please contact Rudy E. Verner at BHGR Law at 303-402-1600.