There are two interesting updates to the progress of the NAIC Model Law. First, there are four states working to add the Model Law to their 2018 legislative calendars: South Carolina, Rhode Island, Vermont and the District of Columbia. Of these, South Carolina is furthest along with their efforts. A newcomer, Louisiana, is now moving down this path as well. Because the Model Law was introduced so late in 2017, many states may not have ample time to add this to their 2018 legislative calendars.
Second, at the fall NAIC meeting of the Cybersecurity (EX) Working Group, the U.S. Department of Treasury commented on adoption of the Model Law. They recommended prompt adoption of the Model Law and added that this should be complete within 5 years, otherwise Federal preemption may result. In other words, Congress could act to pass legislation setting uniform requirements for insurance data security.