The National Association of Insurance Commissioners (NAIC)
Cybersecurity (EX) Working Group (Cybersecurity WG)
approved Version 6 (Finalized) of its Insurance Data
Security Model Law (Model) on August 7 at the NAIC Summer 2017
National Meeting in Philadelphia. The following day the Model was
approved by the Innovation and Technology Task Force. Next, it will
be considered by the NAIC Executive Committee, and if approved,
sent to the Joint Meeting of the Executive Committee and Plenary
for vote by all NAIC Members.
Version 6 of the Model incorporates significant changes from the
first version released on March 2, 2016, including the narrowed
purpose of establishing "standards for data security and
standards for the investigation of and notification to the
Commissioner of a Cybersecurity Event applicable to
Licensees..." The Model applies to all Licensees, defined as
individuals or non-governmental entities required to be authorized,
registered, or licensed pursuant to a state's insurance laws.
There are very limited exceptions to the definition. The Model also
requires that all Licensees develop, implement, and maintain a
comprehensive written Information Security Program (ISP).
The ISP should be based on an individual risk assessment and be
commensurate with the Licensee's size and complexity, the
nature and scope of its activities, and the sensitivity of the
Nonpublic Information used or in the Licensee's possession,
custody or control. The program should cover electronic and
non-electronic Nonpublic Information. Nonpublic Information
includes information that is not publicly available and covers
material business information of the Licensee as well as specified
personal, financial and health information concerning a
Consumer or a family member.
The Model calls for oversight by the board of directors or an
appropriate board committee, the designation of a responsible
person for the ISP and oversight and due diligence of all
third-party service providers. A Licensee must also monitor its
program to adjust for changes in technology and must establish a
written incident response plan.
The Model includes specific requirements for investigation and
notification to the Commissioner in the case of a Cybersecurity
Event. A Cybersecurity Event is defined as an event resulting in
unauthorized access to, disruption, or misuse of an information
system or information stored on such system. It does not include
encrypted information where the key has not been acquired, released
or used, or events where the Licensee has determined that the
Nonpublic Information has not been used or released and has been
returned or destroyed. Notification to the Commissioner of the
domicile or home state, and any other state where 250 or more
impacted insureds reside, is required within 72 hours from
determining a Cybersecurity Event has occurred. Notification to
affected consumers is governed by the state general data breach
notification laws with copies of such notices provided to the
Commissioner.
A Licensee is required to certify to the Commissioner annually (no
later than February 15) that it is in compliance with the
requirements of "Section 4 – Information Security
Program," as well as maintain the materials and documentation
used to support the certification for five years.
The Data Security Model Law provides for three exceptions from the
Section 4 ISP requirements: a Licensee with fewer than 10 employees
(including independent contractors), Licensees who certify in
writing that they have established and maintain an ISP that meets
HIPAA requirements, and a Licensee who is an employee, agent,
representative, or designee of another Licensee, but is covered by
that Licensee's ISP as long as that program complies with
Section 4.
After evolving through multiple versions and considering a
multitude of comments from the insurance industry and interested
parties, Version 6 of the Model significantly tracks New York's Cybersecurity Regulation
("NY Regulation"). Importantly, the Model includes a
drafting note indicating that the Cybersecurity WG intends
compliance with NY Regulation to satisfy the Model's
requirements. The note states "The drafters of this Act intend
that if a Licensee, as defined in Section 3, is in compliance with
N.Y. Comp. Codes R. & Regs. tit.23, § 500,
Cybersecurity Requirements for Financial Services
Companies, effective March 1, 2017, such Licensee is also in
compliance with this Act."
Examples of some major similarities with the NY Regulation
include:
- Several similar definitions such as: Cybersecurity Event, Information System, Multi-Factor Authentication, Nonpublic Information, Person, and Publicly Available Information. Unlike the Model, it is important to note that the New York Regulation covers electronic information only, and, with respect to the Cybersecurity Event definition includes "any act or attempt, successful or unsuccessful".
- Both the Model and the NY Regulation require that the Licensee perform a risk assessment.
- Written policies and procedures addressing the ISP, third-party vendor management and incident response.
- Annual reporting to the board of directors, or similar authority, by the person responsible for an Information Security Program.
- Requirement to ensure the use of secure development practices for in-house developed applications and procedures for evaluating, assessing or testing the security of externally developed applications.
- Notification to the Commissioner as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred.
- Annual documentation of compliance with the ISP.
- An exemption for Licensees with fewer than 10 employees.
While many industry participants view the inclusion of the NY
Regulation concepts as a positive development, there is still
industry concern regarding several aspects of the Model, including
but not limited to, its confidentiality provisions and notice
requirements.
Carlton Fields Jorden Burt, P.A. will continue to monitor the Data
Security Model Law's progress, including whether eventual
state adoption of the Model is uniform and includes the New York
safe harbor intended by the Cybersecurity WG.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.