Forecasting the future of cybersecurity legislation
The National Association of Insurance Commissioners (NAIC) late last month approved a final version of its Data Security Model Law after two years of drafting and debate.
This controversial model law – which would have imposed significant burdens on the agent and broker community – has long been a priority of the NAIC. However, considerable opposition from insurance industry stakeholders (including our own) slowed down the process significantly and resulted in a much-improved version of the model law.
Our industry has been active at the state and national levels expressing major concerns with the draft language over the last two years, securing necessary amendments to the latest version of the model. Earlier versions of the model law would have required licensees to develop and adhere to a comprehensive data security program and established requirements that would apply when personal information maintained by a licensee or service provider is improperly accessed or obtained. Both components would have applied broadly to all licensees and would have created new, complicated mandates for all agents.
As a direct result of agents’ advocacy efforts, which ramped up over the summer, some of the model law’s data security requirements now are much narrower and, of particular significance, only apply to licensees with 10 or more employees, exempting many of our member agencies. The model also includes an exemption for entities that are compliant with the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA).
The need for agencies to implement these changes is not yet imminent. It now is up to individual state legislatures to introduce it as state-specific legislation, likely beginning in 2018. When that time comes, we plan to work with the state legislature and the state departments of insurance to make further agent-friendly changes to the law.
EDITOR'S NOTE: As a reminder, New York implemented a far-reaching cybersecurity regulation that impacts all New York licensees (residents and non-residents, individuals and agencies). The deadlines to create a cybersecurity program and to file for a limited exemption from some of the regulation's more stringent requirements already passed. Review our online compliance resources for assistance.