There are two interesting updates to the progress of the NAIC Model Law. First, there are four states working to add the Model Law to their 2018 legislative calendars: South Carolina, Rhode Island, Vermont and the District of Columbia. Of these, South Carolina is furthest along with their efforts. A newcomer, Louisiana, is now moving down this path as well. Because the Model Law was introduced so late in 2017, many states may not have ample time to add this to their 2018 legislative calendars.
Second, at the fall NAIC meeting of the Cybersecurity (EX) Working Group, the U.S. Department of Treasury commented on adoption of the Model Law. They recommended prompt adoption of the Model Law and added that this should be complete within 5 years, otherwise Federal preemption may result. In other words, Congress could act to pass legislation setting uniform requirements for insurance data security.
Update: December 19, 2018
There has been an increased level of activity surrounding states taking action to adopt the NAIC Insurance Data Security Model Law or a version of the law. Unofficially, industry sources indicate as many as 12 states are taking steps in this direction. We anticipate more states becoming active given the federal pressure mentioned previously and the information that follows.
Since our last blog update, two states have moved very quickly. Michigan currently has a bill in circulation already having House approval. Ohio has fully passed a bill and has sent to Governor John Kasich for his final approval.
Update: February 20, 2018
Since our last blog update, Michigan House Bill 6491 was approved by the Governor on December 28, 2018. Michigan is taking a more phased implementation approach providing an effective date of January 20, 2021. According to State Net Capitol Journal from LexisNexis, thirteen additional states have bills introduced referring to “insurers”, “data security” and “cybersecurity”: Alabama, Georgia, Illinois, Kansas, Kentucky, Maryland, New Mexico, New York, Oregon, Utah, Virginia, Washington, and West Virginia.
Update: April 18, 2019
Mississippi became the latest to adopt the NAIC Insurance Data Security Model Law. Mississippi Senate Bill 2831, titled Insurance Data Security Law, was passed by the Senate on February 3, 2019, then passed by the House on March 13, 2019, and approved by the Governor on April 3, 2019. Information about the Mississippi Data Security Law has been added to the table below.
Update: September 2020
So far this year, three more states have enacted a version of the Model Law; Virginia, Indiana, and Louisiana. 2020 has been a challenging year with the emergence of COVID-19 and we estimate that many state legislatures have amended their legislative calendars as priorities have shifted to manage a response to the pandemic. At this time, there are six additional states who are considering the adoption of the Model Law; Illinois, Oklahoma, Maine, Minnesota, Rhode Island, and Wisconsin. We will continue monitoring the evolution of state adoption and anticipate an uptick in activity once pandemic management and the economy have stabilized.
|South Carolina||Insurance Data Security Act||April 18, 2018||January 1, 2019||View Here|
|Ohio||SB 273 Chapter 3965||December 19, 2018||April 24, 2019||View Here|
|Michigan||House Bill 6491||December 28, 2018||January 20, 2021||View Here|
|Mississippi||Insurance Data Security Law||April 3, 2019||July 1, 2019||View Here|
|Alabama||Senate Bill 54||April 25, 2019||May 1, 2019||View Here|
|Connecticut||Insurance Data Security Law||June 26, 2019||October 1, 2019||View Here|
|New Hampshire||Senate Bill 194||June 5, 2019||January 1, 2020||View Here|
|Delaware||Insurance Data Security Act||July 31, 2019||July 31, 2019||View Here|
|Virginia||HB 1334||March 10, 2020||July 1, 2020||View Here|
|Indiana||HB 1372||March 20, 2020||July 1, 2020||View Here|
|Louisiana||HB 614||June 11, 2020||August 1, 2020||View Here|