In March 2017, New York’s path breaking cybersecurity law for financial services companies went into effect. Influenced by the New York law (“New York Part 500”), the National Association of Insurance Commissioners adopted an “insurance data security” model law 668 late in 2017. Today, in 2019, it is clear that model law 668 is indeed proving to be an important example for regulatory and legislative activity impacting insurers. Laws substantially modeled off of NAIC 668 have now been passed in Michigan, Mississippi, South Carolina, and Ohio, and bills are pending in current legislative session for New Hampshire and Connecticut. This blog post compares key elements of the NAIC model law to New York’s cybersecurity law and examines how states have implemented certain key elements of model law 668 so far.
Broad Application to All “Licensees.” Model law 668, and the state laws modelled off of it, follow New York Part 500 to apply broadly to any entity operating or required to operate under a state license pursuant to relevant state financial laws, particularly insurance laws. However, unlike New York Part 500, the model law 668 definition of “licensee” excludes “a purchasing group or a risk retention group chartered and licensed in a state other than this State or a Licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.” Each of the current laws modelled off of NAIC 668 reflect this technical limitation. Thus, affiliates of a licensee located outside the state in question may be exempt from the cybersecurity requirements.
Broad Definition of “Information Systems” and “Nonpublic Information.” Following New York Part 500, model law 668 adopts broad definitions of “information systems” and “nonpublic information” (NPI). Under both model law 668 and New York Part 500, NPI includes “business related information” of the licensee the unauthorized disclosure, access or use of which could cause a “material adverse impact” to the business, operation or security of the licensee. NPI also includes (1) information identifying a consumer plus an additional data elements such as social security number or account number and (2) health care related information. Implementing state laws mostly follow this shared definition of NPI, though Mississippi’s law and current drafts of New Hampshire’s bill do not include “business related information” within the definition of NPI. Unlike New York Part 500, model law 668 does not expressly limit NPI to “electronic information.” Michigan and Mississippi deviate from model law 668 in this respect, and like New York Part 500, define NPI as “electronic information.”
Substantive security controls. Unsurprisingly for ‘data security’ and ‘cybersecurity’ laws, New York Part 500, model law 668, and each of the state laws and bills modelled off of 668 impose substantial security requirements on licensees. These security elements under all these laws include risk assessments, written information security plans, access restrictions, encryption, secure application development, vendor oversight, and organizational controls such as cybersecurity training, designation of a responsible ‘owner’ of the information security program, and board oversight and board reporting (where a board exists).
Limitations and Exemptions. Like New York Part 500, model law 668 provides certain exemptions from substantive security requirements for small entities with fewer than 10 employees, including independent contractors. Here, particular state laws frequently offer their own unique approaches. These approaches reflect different thresholds for employee count, different rules regarding inclusion or exclusion of independent contractors when counting the number of employees, and additional (and differing) exclusions based on an entity’s gross revenue.
Model law 668 and its implementing state laws additionally qualify specific security requirements in a way not reflected under New York Part 500. Under model law 668, the security controls may be considered as “appropriate” prior to implementation. Though precise wording varies between states, all of the state’s laws noted above include a similar ‘appropriateness’ concept. This differs from New York Part 500, which does not include an express ‘appropriateness’ concept when prescribing particular security controls. Thus, model law 668, and implementing state laws, may provide companies with some reasonable flexibility to determine which ‘appropriate’ security controls to implement.
Certification. New York Part 500 requires licensees to provide annual written certification to the New York Department of Financial Services regarding their compliance with Part 500. Model law 668 and the implementing state laws noted above each include a similar requirement, with one notable difference: these laws apply to “insurers” instead of generally to “licensees.” Depending upon particular state regulatory schemes, some businesses may be “licensees” without being an “insurer.” Such entities who are “licensees” but not “insurers” may thus be exempt from certification requirements under model law 668.
Of course, this post does not consider every aspect of model law 668 and its progeny; each of these laws contains additional detail on important topics like handling of data security incidents. Nevertheless, as evident from the above, it is clear that model law 668 is having, and likely will continue to have, a significant impact on insurance regulation across states.