NAIC Insurance Data Security Model Law Update

There are two interesting updates to the progress of the NAIC Model Law. First, there are four states working to add the Model Law to their 2018 legislative calendars: South Carolina, Rhode Island, Vermont and the District of Columbia. Of these, South Carolina is furthest along with their efforts. A newcomer, Louisiana, is now moving down this path as well. Because the Model Law was introduced so late in 2017, many states may not have ample time to add this to their 2018 legislative calendars.

Second, at the fall NAIC meeting of the Cybersecurity (EX) Working Group, the U.S. Department of Treasury commented on adoption of the Model Law. They recommended prompt adoption of the Model Law and added that this should be complete within 5 years, otherwise Federal preemption may result. In other words, Congress could act to pass legislation setting uniform requirements for insurance data security.

Update: December 19, 2018

There has been an increased level of activity surrounding states taking action to adopt the NAIC Insurance Data Security Model Law or a version of the law. Unofficially, industry sources indicate as many as 12 states are taking steps in this direction. We anticipate more states becoming active given the federal pressure mentioned previously and the information that follows.

Since our last blog update, two states have moved very quickly. Michigan currently has a bill in circulation already having House approval. Ohio has fully passed a bill and has sent to Governor John Kasich for his final approval.

Update: February 20, 2018

Since our last blog update, Michigan House Bill 6491 was approved by the Governor on December 28, 2018. Michigan is taking a more phased implementation approach providing an effective date of January 20, 2021. According to State Net Capitol Journal from LexisNexis, thirteen additional states have bills introduced referring to “insurers”, “data security” and “cybersecurity”: Alabama, Georgia, Illinois, Kansas, Kentucky, Maryland, New Mexico, New York, Oregon, Utah, Virginia, Washington, and West Virginia.

Update: April 18, 2019

Mississippi became the latest to adopt the NAIC Insurance Data Security Model Law. Mississippi Senate Bill 2831, titled Insurance Data Security Law, was passed by the Senate on February 3, 2019, then passed by the House on March 13, 2019, and approved by the Governor on April 3, 2019. Information about the Mississippi Data Security Law has been added to the table below.

State Law Name Passed Effective Link
South Carolina Insurance Data Security Act April 18, 2018 January 1, 2019 View Here
Ohio SB 273 Chapter 3965 December 19, 2018 April 24, 2019 View Here
Michigan House Bill 6491 December 28, 2018 January 20, 2021 View Here
Mississippi Insurance Data Security Law April 3, 2019 July 1, 2019 View Here