The Standard – NAIC Cybersecurity Model Law: Coming Soon to a State Near You?

This article originally appeared in the January 11, 2019, issue of The Standard.

Several New England states are likely to see significant efforts to enact the National Association of Insurance Commissioner’s (NAIC) cybersecurity model law, officially titled the “Insurance Data Security Model Act,” during the 2019 legislative session.

The model law establishes standards for insurers and other licensees of insurance departments to develop and oversee selfdesigned risk-based programs to protect sensitive consumer information. It sets requirements for licensees to provide information to insurance commissioners on an annual basis and also in the event of a defined cybersecurity event.

The model law has been a project of significance for the NAIC for some time, frequently cited as a priority and necessity by leaders of the regulator organization. It was developed in rather rapid fashion by the NAIC’s cybersecurity working group between 2016 and 2017. It was finalized in October 2017, after more than a year and a half of drafting work and set up to be ready for adoption by the states in the 2018 legislative sessions. The drafting process was at times contentious and at times tedious. The first draft of the model addressed data security requirements and also laid out a new breach response protocol including consumer notification requirements that would have made insurers unique among businesses regarding security breach requirements. It was exposed for comment in March 2016 and interested parties including trade associations and consumer organizations submitted 128 pages of comments expressing various aspects of concerns.

Commissioners highly involved in the development of the model law suggested repeatedly during the process that their peers in other states were eager to see the model completed so they could pursue its passage in their states. However, it was introduced in only a few states during 2018, and two of those were the home states of the chair and vice chair of the NAIC cybersecurity working group.

Typically, when a model law is finalized at the NAIC, interested parties including industry trade associations have come to a resolution with the regulators on various issues and have agreed to support the model when it gets introduced in the states. Such was not the case with the Insurance Data Security Model Law, as several trade associations representing insurers and agents had substantial unaddressed concerns and had not agreed to support the model when introduced.

The model was first introduced in South Carolina where it was identified as a top priority for the legislative session by Ray Farmer, director of the state’s Department of Insurance. Likely due to his role as chair of the NAIC working group, Farmer was not open to considering amendments offered by industry representatives, and the bill passed in a form almost identical to the model.

Rhode Island was the second state in which the model was advocated, in this case by Insurance Superintendent Elizabeth Kelleher Dwyer, who served as vice chair of the NAIC working group and also headed a drafting subgroup that played a significant role in the model law’s development.

In contrast with the situation in South Carolina, in Rhode Island there was some indication that the Department of Business Regulation was open to some amendments to the bill to address industry concerns, and willing to address others in implementation such as by the issuance of a bulletin.

The bill did not end up getting passed by the Rhode Island General Assembly in 2018, however, and the department of insurance has indicated plans to seek its passage in 2019.

That was how things stood — with the model being proposed in just two states and passed in only a single state — for the bulk of 2018, but late in the year two other states — Ohio and Michigan — took action.

In Michigan, House Bill 6491 was introduced on November 8, passed by the legislature in December, and signed by Gov. Rick Snyder on December 28.

In Ohio, Senate Bill 273 was enacted as new Chapter 3965 in December. Both the Ohio and Michigan bills contain material modifications compared to the NAIC model that likely make them more favorable to some industry groups. It will be of interest whether and how other states follow the precedent set by such states as opposed to South Carolina.

So the NAIC model is now law in three states and is expected to be considered by many more in 2019. Regarding New England states, the model is sure to be considered again in Rhode Island.

In addition, regulators in Maine and New Hampshire have also indicated plans to seek its passage. Maine Superintendent of Insurance Eric Cioppa is currently the president of the NAIC, so enactment of a high priority NAIC model in his state is a natural fit.

In every case where the model is considered, a critical question that will have an impact on its chances for enactment will be whether there is a willingness to incorporate amendments proposed by the industry.

The industry generally favors consistency from state to state, and in some instances regulators have questioned the pursuit of amendments based on that consideration. However, the various concerns about certain provisions of the model are substantial, so that from the industry’s perspective it may be preferable for a version approved by an early adopting state to in essence serve as the true model for other states to follow as opposed to the model as approved and adopted by the NAIC.

Paul Tetrault, JD, CPCU, ARM, AIM, is executive director of the Insurance Library Association of Boston, www.insurancelibrary.org. He also serves as chair of the CPCU Society’s regulatory and legislative interest group and is a member of the society’s publications committee.