The NAIC’s Insurance Data Security Model Law Takes a Step Closer to Becoming Reality & Law Firms Should Pay Attention


By: Glenn M. Kenna
On October 24, 2017, the National Association of Insurance Commissioners (“NAIC”) adopted the Insurance Data Security Model Law (“Model Law”). The Model Law includes rules covering a broad range of data security, security breach investigation, breach notification, and risk management issues related to nonpublic information. The Model Law applies to insurers, agents, and other entities licensed under state insurance laws (“Licensees”). The passage of the Model Law by the NAIC should be a concern to every law firm as the Model Law would apply to prevent Licensees from contracting with firms that do not have adequate data security measures in place.
In part, the Model Law mandates that Licensees develop, implement, and maintain comprehensive written information security programs to, among other things, protect nonpublic information from unauthorized disclosure. Under the Model Law, Licensees must require “Third-Party Service Providers” – broadly defined as any person, not otherwise defined as a Licensee, with access to nonpublic information due to its contract with the Licensee – to implement appropriate measures to protect and secure Nonpublic information that is accessible to, or held by, the Third-Party Service Provider. Nonpublic information under the Model Law includes any information that is not publicly available and which concerns a “Consumer which because of name, number, personal mark, or other identifier can be used to identify such Consumer in combination with any one or more of… (a)Social Security Number, (b) Driver’s license number or non-driver identification card number, (c) account number, credit, or debit card number, (d) any security code, access code, or password that would permit access to a Consumer’s financial account; or (e) Biometric records.” The Model Law further requires that the Licensee’s executive management or delegates report annually on the Licensee’s compliance.
Law firms can and should develop (and follow) robust data security programs compliant with the ever-increasing data security laws or risk being passed over by companies which are increasingly sensitive to their data security obligations and increasingly responsible for breaches by third party vendors. The NAIC’s passage of its Model Law follows implementation of New York’s data security law in March, which the Model Law closely follows. Much like the Model Law, the New York law requires law firms to comply with detailed data security rules imposed on them by Licensees. It is only a matter of time until the Model Law or similar regulations of broad application are passed by each state. Law firms that ignore the rapidly-changing data security landscape do so at their own peril.
If you have any questions or would like more information, please contact Glenn Kenna at [email protected].