NAIC Insurance Data Security Model Law Update


There are two interesting updates to the progress of the NAIC Model Law. First, there are four states working to add the Model Law to their 2018 legislative calendars: South Carolina, Rhode Island, Vermont and the District of Columbia. Of these, South Carolina is furthest along with their efforts. A newcomer, Louisiana, is now moving down this path as well. Because the Model Law was introduced so late in 2017, many states may not have ample time to add this to their 2018 legislative calendars.

Second, at the fall NAIC meeting of the Cybersecurity (EX) Working Group, the U.S. Department of Treasury commented on adoption of the Model Law. They recommended prompt adoption of the Model Law and added that this should be complete within 5 years, otherwise Federal preemption may result. In other words, Congress could act to pass legislation setting uniform requirements for insurance data security.

Update: December 19, 2018

There has been an increased level of activity surrounding states taking action to adopt the NAIC Insurance Data Security Model Law or a version of the law. Unofficially, industry sources indicate as many as 12 states are taking steps in this direction. We anticipate more states becoming active given the federal pressure mentioned previously and the information that follows.

Since our last blog update, two states have moved very quickly. Michigan currently has a bill in circulation already having House approval. Ohio has fully passed a bill and has sent to Governor John Kasich for his final approval.

Update: February 20, 2018

Since our last blog update, Michigan House Bill 6491 was approved by the Governor on December 28, 2018. Michigan is taking a more phased implementation approach providing an effective date of January 20, 2021. According to State Net Capitol Journal from LexisNexis, thirteen additional states have bills introduced referring to “insurers”, “data security” and “cybersecurity”: Alabama, Georgia, Illinois, Kansas, Kentucky, Maryland, New Mexico, New York, Oregon, Utah, Virginia, Washington, and West Virginia.

Update: April 18, 2019

Mississippi became the latest to adopt the NAIC Insurance Data Security Model Law. Mississippi Senate Bill 2831, titled Insurance Data Security Law, was passed by the Senate on February 3, 2019, then passed by the House on March 13, 2019, and approved by the Governor on April 3, 2019. Information about the Mississippi Data Security Law has been added to the table below.

Update: September 2020

So far this year, three more states have enacted a version of the Model Law; Virginia, Indiana, and Louisiana. 2020 has been a challenging year with the emergence of COVID-19 and we estimate that many state legislatures have amended their legislative calendars as priorities have shifted to manage a response to the pandemic. At this time, there are six additional states who are considering the adoption of the Model Law; Illinois, Oklahoma, Maine, Minnesota, Rhode Island, and Wisconsin. We will continue monitoring the evolution of state adoption and anticipate an uptick in activity once pandemic management and the economy have stabilized.

State Law Name Passed Effective Link
South Carolina Insurance Data Security Act April 18, 2018 January 1, 2019 View Here
Ohio SB 273 Chapter 3965 December 19, 2018 April 24, 2019 View Here
Michigan House Bill 6491 December 28, 2018 January 20, 2021 View Here
Mississippi Insurance Data Security Law April 3, 2019 July 1, 2019 View Here
Alabama Senate Bill 54 April 25, 2019 May 1, 2019 View Here
Connecticut Insurance Data Security Law June 26, 2019 October 1, 2019 View Here
New Hampshire Senate Bill 194 June 5, 2019 January 1, 2020 View Here
Delaware Insurance Data Security Act July 31, 2019 July 31, 2019 View Here
Virginia HB 1334 March 10, 2020 July 1, 2020 View Here
Indiana HB 1372 March 20, 2020 July 1, 2020 View Here
Louisiana HB 614 June 11, 2020 August 1, 2020 View Here