A Guide to the NAIC’s Insurance Data Security Model Law
August 3, 2020
In October 2017, the National Association of Insurance Commissioners (NAIC) established an Insurance Data Security Model Law and released it to states for legislative consideration. They used New York’s Cybersecurity Regulation as a framework. The Model Law outlines standards and best practices that insurance companies should include in their information security programs.
Although all 50 states have passed data breach notification laws, not all have established cybersecurity standards like those outlined in the NAIC Model Law. Some of these standards include:
- A comprehensive information security program
- Information security requirements for third party vendors
- An incident response plan
- Notification requirements in the event of a breach
Read on to learn more about these requirements and how you can implement them.
Why is This NAIC Model Law Necessary?
The purpose of the NAIC Model Law is to establish standards for data security and breach notification for licensees.
Licensees (individuals and nongovernmental entities, like insurance agents/agencies) are required to be authorized in accordance with their state’s laws. It may include other businesses like car rental companies and travel agencies that are also subject to state insurance laws.
Any person or entity in the healthcare sector that handles confidential information could be the target of hackers or susceptible to staff negligence, resulting in a breach. Maintaining appropriate cybersecurity standards can help prevent such an incident from taking place. If a cybersecurity event does take place, these measures can serve as a way to rectify the situation, protect consumers, and ensure the sustainability of your business.
Next, we’ll walk you through the different components of the Model Law, starting with the information security program requirement.
Information Security Program
The NAIC Model Law requires licensees to perform a risk assessment, to identify any possible threats to information security. Then, licensees should implement a security program that includes safeguards for managing these threats. The program must align with the licensee’s size, nature of business, and the sensitivity of the information handled.
Each licensee’s information security program should include the following components:
- Risk assessment: This is a proactive assessment of possible threats to the security of information systems. You should assess the potential damage of these threats. Are your policies able to safeguard against them or provide a framework for recovery in the event of a breach?
- Risk management: Design your information security program to mitigate the identified risks. Implement the proper security measures, periodically reevaluate risks and measures taken against them, and train your staff on cybersecurity awareness.
- Oversight by a board of directors: The licensee’s board of directors should require the implementation and maintenance of an information security program. This should include an annual review of the program’s strengths and weaknesses.
- Oversight of third-party service providers: Licensees may use third-party providers for services such as email encryption or eFax. These providers may be transporting PHI or storing it on their servers. Licensees should only choose providers they can trust with their data and should require providers to implement appropriate safeguards of their own.
- Program adjustments: Licensees should monitor their information security programs and make adjustments if improved technology appears or threats emerge.
- Incident response plan: Licensees should create written incident response plans that details how they will respond to and recover from potential cybersecurity events.
- Annual certification of compliance: Licensees should submit a written statement certifying that they are in compliance with the above information security requirements to their state’s insurance commissioners
Investigation of a Cybersecurity Event
If a licensee experiences a cybersecurity incident, it should conduct a prompt investigation and attempt to determine the following information:
- Whether a cybersecurity event has occurred
- The nature and scope of the event
- Which information was involved in the event
The licensee should then restore the security of the information systems. If the event occurred in a system maintained by a third party provider, the licensee should ensure that the provider takes the above steps and documents them. All records concerning cybersecurity events should be kept for at least five years and must be handed over to the insurance commissioner if requested. Licensees that are subject to more stringent record retention laws such as HIPAA, which requires records to be kept for at least six years, should comply with whatever law is most stringent.
Notification of a Cybersecurity Event
The NAIC Model Law recommends each licensee notify its state insurance commissioner within 72 hours of the discovery of a cybersecurity event, as well as the commissioner of any other state where 250 or more individuals were affected by the event.
Licensees should also notify affected parties within the time required by their states’ data breach notification laws. If the cybersecurity event occurred in a system maintained by a third party, the licensee should carry out the same notification process.
Power of Commissioner and Confidentiality
Your state’s insurance commissioner has the power to investigate the activities of any licensee that violates its state’s data breach notification law. The commissioner also has the power to take any action he or she deems necessary to enforce the state law. The NAIC Model Law also states that any information given by the licensee to the state is confidential and cannot be disclosed via subpoena or any other process.
Depending on where you live, your state may have included a provision in its data security law that exempts you or your organization from implementing its requirements. Several states have provided exemptions for licensees that have less than 25 employees. Others exempt licensees that have already implemented similar safeguards in compliance with HIPAA or other federal regulations.
What Effects Will this NAIC Model Law Have?
In states that have adopted the NAIC Model Law, licensees are typically given one year from the effective date to develop an information security program, and two years to implement third party compliance. This means that licensees will need to have an open dialogue with third party providers about safeguards, oversight, and incident response.
In October 2017, the U.S. Treasury Department endorsed the Model Law and recommended that Congress pass a similar law if states do not implement uniform data breach notification requirements in the next five years. Since then, 20 states have adopted their own versions of the Model Law. These states include Alabama, Arkansas, California, Colorado, Delaware, Massachusetts, Maryland, Michigan, New Jersey, New Mexico, New York, Ohio, Oregon, South Carolina, South Dakota, Tennessee, Utah, Virginia, Vermont, and Washington.
NAIC Model Law and HIPAA
It is important to note that HIPAA provides a comprehensive framework that meets the standards of many cybersecurity regulations. If your organization is already HIPAA compliant, you are currently following almost all of the NAIC model law standards. If this regulation applies to you and you’re HIPAA compliant, simply review the law (or this article) to ensure that every requirement is met.
Contact us as email@example.com to learn more about your state’s cybersecurity laws.
November 23, 2020
Happy Thanksgiving from all of us at Total HIPAA! This year, we invite you to celebrate Thanksgiving by sharing. Please consider donating to your local food bank to help families… Read More ›Read More
November 9, 2020
Thank you to everyone who submitted questions and attended our 31 Days of Cybersecurity webinar. In this blog post you can find all the questions we asked our expert panel… Read More ›Read More