On August 17, the National Association of Insurance Commissioners published a draft model law to regulate the data security practices of insurance entities, requesting public comment by Sept. 16.

The NAIC is an organization created as a forum for state insurance leaders to coordinate, promote consistency and set standards and best practices. Since the insurance industry in the U.S. is regulated at the state level through the departments of insurance for each state and jurisdiction — fifty-six insurance commissioners in all, from fifty states, five territories and the District of Columbia — the NAIC's model laws and regulations can ease compliance challenges for multi-state "licensees" (insurance companies, agencies and others).

The Insurance Data Security Model Law is the latest product of the organization's Cybersecurity Task Force, following a draft-and-comment cycle conducted this past spring. The current iteration begins by setting its scope and crafting new definitions for terms often seen in other privacy and information security regulations. These provisions address who is a "consumer" whose information should be protected, what exactly qualifies as "personal information" for this law's purposes, and define more technical matters such as what "encryption" entails.

ADVERTISEMENT

RadarFirst's 2025 Privacy Incident Management Benchmarking Report

If adopted in a licensee's state, the law would affirmatively require these insurance entities to implement an information security program "designed to protect the security and confidentiality of personal information" that would match "the size and complexity of the licensee, the nature and scope of the licensee's activities and the sensitivity of the personal information." The licensee must designate an employee to run risk assessment and mitigation programs "based on generally accepted cybersecurity principles." (In previous versions, entities were required to comply with National Institute of Standards and Technology (NIST) frameworks, familiar to our CIPP/G readers.) 

The model law further mandates oversight mechanisms to involve the board of directors and to explicitly limit third-party contracting to "providers that are capable of maintaining appropriate safeguards."

Perhaps the most impactful provisions relate to data breaches. After investigating a breach in which personal information is released, insurance entities must notify a variety of individuals and organizations, including the consumers to whom the information relates, law enforcement agencies, payment card networks and consumer reporting agencies. Notifications to consumers must be coordinated with the state insurance commissioner, and these communications must include particular details and further guidance.

In addition, within three business days of determining a breach has occurred, a licensee must provide a report with certain enumerated details to the insurance commissioner in their state of domicile and to the commissioners of states in which affected consumers reside. Commissioners would have the power to define some of the post-breach consumer interactions, including payment for identity theft protection, and to generally investigate and enforce compliance with the model law.

The NAIC's latest draft — which responded to industry comments by, among other things, clarifying preemption provisions, removing a private right of action and adding language integrating with existing state enforcement and penalty provisions — has nevertheless drawn mixed reviews. At the NAIC's summer 2016 national meeting, held just after the model law's release, one attendee representing the National Association of Mutual Insurance Companies, a major insurance trade organization, described "strong concerns" about the model law being discussed.

The Property Casualty Insurers Association of America, another major insurance trade organization, has said that the new law "shows progress [but] there are still significant issues."

You can view the model law in its entirety on the NAIC's website , along with a redlined version showing the changes made from the previous draft. The organization has requested that any comments be directed to Sara Robben by Sept. 16.

photo credit: Insurance Policy via photopin(license)