There are two interesting updates to the progress of the NAIC Model Law. First, there are four states working to add the Model Law to their 2018 legislative calendars: South Carolina, Rhode Island, Vermont and the District of Columbia. Of these, South Carolina is furthest along with their efforts. A newcomer, Louisiana, is now moving down this path as well. Because the Model Law was introduced so late in 2017, many states may not have ample time to add this to their 2018 legislative calendars.
Second, at the fall NAIC meeting of the Cybersecurity (EX) Working Group, the U.S. Department of Treasury commented on adoption of the Model Law. They recommended prompt adoption of the Model Law and added that this should be complete within 5 years, otherwise Federal preemption may result. In other words, Congress could act to pass legislation setting uniform requirements for insurance data security.
Update: December 19, 2018
There has been an increased level of activity surrounding states taking action to adopt the NAIC Insurance Data Security Model Law or a version of the law. Unofficially, industry sources indicate as many as 12 states are taking steps in this direction. We anticipate more states becoming active given the federal pressure mentioned previously and the information that follows.
Since our last blog update, two states have moved very quickly. Michigan currently has a bill in circulation already having House approval. Ohio has fully passed a bill and has sent to Governor John Kasich for his final approval.