GOVERNMENT AFFAIRS
NAIC CYBERSECURITY MODEL LAW The National Association of Insurance Commissioners (NAIC) recently concluded its Summer National Meeting, and I wanted to provide you with an update on the activity that occurred in connection with the regulatory organization’s Insurance Data Security Model Law. The NAIC began its development of the cybersecurity model law nearly two years ago, and a revised version of the proposal was brought to a vote and approved by the Cybersecurity Working Group last week. The working group’s parent task force took similar action, and the proposal is expected to be approved by the full membership of the NAIC during a conference call to be held in the near future. The development of this model law has been the focus of considerable IIABA attention and a source of significant association concern, but I am pleased to report that the proposal has been significantly revised and improved over the last four months. With these final revisions in place, IIABA did not oppose the adoption of the proposal by the NAIC committees. The version of the model approved by the working group is considerably different than the iterations unveiled last year, and it is also more reasonable and less onerous than the cybersecurity regulation promulgated by the New York Department of Financial Services in February. The progress that has been made since the start of this process is the direct result of the advocacy and grassroots work of our state associations, and our South Carolina organization played a particularly helpful role in securing the final amendments last week. I thank all of you for your help in this endeavor. Some of the most notable provisions and recent changes are outlined below: > The core elements of the model require licensees to establish an information security program that is commensurate with the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of the information being guarded. The requirements are flexible and riskbased, and a licensee’s security program must respond to and mitigate the risks identified in the entity’s risk assessment. Earlier versions of the model would have required the adoption of certain identified practices by all licensees, but it now requires covered businesses to consider whether it is appropriate to implement a series of 11 specific security measures. As a result of some last-minute amendments included at the request of IIABA last week, the model no longer requires state-of-the-art protections to be implemented or specific actions to be taken. > Perhaps most notably, the data security WISCONSIN INDEPENDENT AGENT
requirements described above now only apply to licensees with ten or more employees. This means that most IIABA members would be exempt from the model’s data security requirements. The model also includes a safe harbor for entities that are compliant with the privacy requirements of the Health Insurance Portability and Accountability Act and submit a statement certifying compliance to regulators, and these provisions were also recently revised to address IIABA concerns and make it easier to take advantage of this provision. > The model’s data security requirements now apply to a more specific and much narrower universe of information than originally proposed. > One of IIABA’s biggest concerns has been the manner in which previous versions of the proposal imposed excessive burdens, strict liability, and unrealistic duties on licensees in relation to their engagement with third-party service providers. These provisions were significantly modified late last week at the request of IIABA. The model now requires that licensees simply exercise due diligence and reasonableness in selecting thirdparty vendors that have access to a licensee’s sensitive information and require those entities to implement “appropriate” measures to protect and secure such data. As with the other data security mandates, these revised requirements only apply to licensees with at least ten employees. > The model requires insurers to annually certify to their domestic state regulators that they are in compliance with the information security requirements and have instituted an appropriate security program. This requirement does not apply to agents and brokers.
jurisdiction, then the licensee must also notify that state’s officials. Insurers that are the victim of a breach must also inform the agents of record for all of the affected consumers. > The model previously included a series of consumer notification requirements that would have applied in the event that a licensee suffers a data breach. The provisions were quite extensive and, among other things, would have required licensees to offer free identity theft protection services to consumers potentially affected by a data breach. All of the consumer disclosure requirements were deleted earlier this year, and licensees must comply with existing state law. > The model previously included a provision that would have given regulators the openended authority, in the event of a data breach, to “prescribe the appropriate level of consumer protection required … and for what period of time that protection will be provided.” That section was deleted. > The model initially created a private right of action that could have been used by consumers to bring litigation against licensees that fail to comply with the model’s requirements, but that provision was deleted last year. > The model’s effective date is one year after a state measure’s enactment, and this is double the amount of time originally proposed. Although the model has been significantly improved and its most troubling provisions have been eliminated, the proposal is not perfect. There are several areas where further amendments and technical revisions may be helpful and provide further clarity, and we are prepared to assist state associations with these items if legislation based on the model law is pursued at the state level.
> Licensees that suffer data breaches (which are referred to as “cybersecurity events” in the model) must notify their home state regulators within 72 hours of discovering the event. If the breach affects > Wes Bisset, Senior Counsel, Government Affairs for the Independent Insurance Agents and Brokers of America. the records of 250 or more residents of any other
SEPTEMBER 2017 | 7