In October 2017, the NAIC adopted its Insurance Data Security Model Law and released it to the states for legislative consideration. The purpose of the Model is to “establish standards for data security and standards for the investigation and notification to the Commissioner of a Cybersecurity Event applicable to Licensees.” In this alert, we briefly outline the requirements of the Model and provide an update on the status of the Model among the states and information on compliance effective dates. We will continue to monitor these issues.
Among its most significant provisions, the Model requires that all licensees develop, implement and maintain a comprehensive Information Security Program (ISP) that is based on an individual risk assessment and that is commensurate with the licensee’s size and complexity, the nature and scope of its activities, and the sensitivity of the nonpublic information used or in the licensee’s possession, custody or control. The program should address electronic and nonelectronic, nonpublic information. Nonpublic information covers information that is not publicly available and includes material business information of the licensee as well as specified personal, financial and health information concerning a consumer or a family member.
Read the full article on the Faegre Drinker website.