On Oct. 24, the National Association ofInsurance Commissioners (NAIC) formally approved the Insurance Data Security Model Law (model law).

The NAIC is a standard setting and regulatory supportorganization consisting of the top insurance regulators from the 50states, District of Columbia, and five U.S. territories.

The model law applies to "licensees" which are defined aspersons and nongovernmental business entities subject to theinsurance laws of the state adopting the model law.

Related: 6 ways cybersecurity will impact insurers in2018

In Pennsylvania, for example, this would encompass insurancecompanies and insurance producers (i.e., agents, agencies andbrokers). Notably, this applies to nonresident licenseesexcept for purchasing groups, risk retention groups or when actingas assuming insurer. 

For example, a broker resident in a state that has not adoptedthe model law, is potentially subject to the model law ifthey are also licensed in another state that has adopted the modellaw. Thus, it will be important to track what states enact themodel law and also how uniformly the model law is enactedstate to state.

Standards

The intent of the model law is to establish standards for datasecurity, the investigation of cybersecurity events andnotification of the commissioner of cybersecurity events. In orderto understand how the model law attempts to meet those objectivesit is necessary to understand how the model law has defined thedifferent elements that are involved in cybersecurity.

A cybersecurity event is defined as "an event resulting inunauthorized access to, disruption or misuses of, an informationsystem or information stored on such information system."Information system is defined broadly as "a discrete set ofelectronic information resources organized for the collection,processing, maintenance, use, sharing, dissemination or dispositionof electronic information …" and expressly includes "specializedsystems such as industrial/process controls systems, telephoneswitching and private branch exchange systems, and environmentalcontrol systems."

Related: 3 best practices for a layered cybersecurityprogram

This broad definition encompasses both traditional computernetworks and devices, but also other machines that fall under therubric "the internet of things" and systems such as HVAC systemswhich have been the entry point for hackers in notable databreaches. Information security program means "theadministrative, technical and physical safeguards that a licenseeuses to access, collect, distribute, process, protect, store, use,transmit, dispose of or otherwise handle nonpublicInformation."

Nonpublic info

Nonpublic information is defined more broadly than most databreach notification laws and includes business related informationof the licensee the disclosure of which could cause a materialadverse impact on the licensee's business, operations or security.Nonpublic information also includes any information about aconsumer which can be used to identify the consumer in combinationwith any one or more of Social Security number, driver's license orother identification number, account number, credit or debit cardnumber, security code, access code or password to a financialaccount, or biometric records.

Nonpublic information also includes any data other than age andgender derived from a health care provider or the consumer relatedto the consumer's past, present or future physical,mental, or behavioral health or condition or that of the consumer'sfamily. Publicly available information means anyinformation that a licensee has a reasonable basis tobelieve is lawfully made available to the general public fromfederal, state or local government records; widely distributedmedia; or, disclosures to the general public required by federal,state, or local law.

Written security program required

The model law requires licensees to implement a comprehensive written informationsecurity program based on the licensees' risk assessment. Aspart of the information security program the licensee mustdesignate an individual (who can come from a third party) to beresponsible for the information security program.

The risk assessment must:

• identify reasonably foreseeable internal and external threatsto nonpublic information including any information systemsor nonpublic information that are controlled or accessible bythird-party service providers;
• assess the likelihood and severity of damage by these potentialthreats;
• assess the sufficiency of existing policies, procedures, andtechnology in place to protect against such threats; and
• implement information safeguards to manage the identifiedthreats and at least annually assess their effectiveness.

The model law puts special emphasis in assessingthe licensees' policies, procedures, information systemsand safeguards with respect to:

• employee training and management; 
• information systems including information classification,governance, processing, storage, transmission and disposal;and
• detecting, preventing, and responding to attacks, intrusions,or other system failures.

Continuing risk management

The model law also mandates that licensees performcontinuing risk management with respect to cybersecurity issues. Alicensee, commensurate with its size and complexity of activities,shall design its information security programs to mitigatethe risk identified in the risk assessment. 

At a minimum a licensee must evaluate the appropriateness ofimplementing 11 enumerated security measures including implementingaccess controls with authentication on information systems,restricting access at physical locations with nonpublicinformation, encryption and to regularly test and monitor systemsand procedures to identify actual and attempted attacks orintrusions.

Licensees must also include cybersecurity risks in theirenterprise risk management process, stay informed regardingemerging threats and vulnerabilities, and provide its personnelwith cybersecurity awareness training as necessary to reflect risksidentified in the risk assessment.

The model law also mandates oversight of the informationsecurity program by a licensee's board of directors, if applicable.Other responsibilities include oversight of third-party serviceproviders, ongoing monitoring, evaluation, and adjustment asnecessary of the information security program, establishment of awritten incident response plan and annual certification ofcompliance with Section 4 to the (insurance) commissioner.

Required investigation & notification

The model law also contains detailed provisions regarding theinvestigation of and notification regardingcybersecurity events. Licensees must investigate wheneverthere is or may have been a cybersecurity event. The investigationcan be performed by an outside vendor on behalf of thelicensee.

Related: Here's how businesses can prepare for future cyberattacks

There are separate notification requirements for thecommissioner, consumers and reinsurers. The commissioner also hasthe authority to investigate licensees' compliance with the modellaw and to take action to enforce the model law.

Importantly, the model law provides for confidentiality ofinformation provided pursuant to a licensee's annual certificationunder Section 4(I) and much of the information that must bereported to the commissioner following a cybersecurity event underSection 6, and investigations under Section 7.

Related: Top 10 writers of cybersecurityinsurance

The model law expressly provides that these documents are notsubject to freedom of information act or similar laws, subpoenas ordiscovery in civil actions and are inadmissible in civilactions.

The commissioner is authorized to use such documents asnecessary in any action or proceeding it institutes to enforce themodel law under Section 7.  There is an exception forlicensees with fewer than 10 employees, includingindependent contractors, and individual licensees who are coveredby the information security program of another licensee.

In addition, licensees subject to HIPPA that have establishedand maintain information security programs pursuant to HIPPA aredeemed to be in compliance with Section 4. In Section 10 the modellaw contemplates penalties for noncompliance in accordance with theenacting state's general penalty statute.  Section 11,which is noted as optional allows for the implementation ofadditional rules and regulations necessary to carry out theprovisions of the model law.

N.Y. cybersecurity rules

The model law is similar, but not identical, in structure andscope to New York's recent cybersecurity rules applicable tobanks, insurance companies and other financial servicescompanies, 23 NYCRR 500 (N.Y. cyber rules). The model lawcontains a drafting note indicating it is the drafters' intent thatif a licensee is in compliance with the N.Y. cyber rules then thelicensee is in compliance with the model law.

Like the N.Y. cyber rules the model law is based on a riskassessment or risk management approach to cybersecurity. Thisapproach is widely regarded as a best practice in terms of approachto cybersecurity. What is still very much in question is theability of regulations of this type to actually improvecybersecurity. As both the model law and N.Y. cyber rules tacitlyacknowledge there is no perfect answer or approach tocybersecurity.

Security measures necessary and appropriate for large companieswill often not fit smaller companies and vice versa. Examplesinclude the frequency and sophistication of penetration and othertesting methods and the scope and intensity of employee training.Further, it is widely accepted by security experts that everybodyis vulnerable no matter how rigorous their cybersecurity is. Canregulations effectively improve cybersecurity in this type of riskenvironment? We shall see.

Open questions

Another critical hurdle facing the model law that will greatlyimpact how effective it is in improving cybersecurity, is howwidely and uniformly it is adopted by states. These are issues thatoften plague model laws regardless of subject and there arenumerous examples of limited adoption, lack of uniformity ofadoption, or both in existing model laws. Penalties and enforcementare another area that could potentially vary greatly state tostate.

The NAIC looks to have come up with a fairly balanced approachto cybersecurity regulation and companies large and small would bewise to follow many of the processes and procedures required by themodel law. But there are many open questions surrounding the modellaw the answers to which will determine its success at improvingcybersecurity in the insurance industry and as a model for otherindustries to follow.

Related: The (somewhat) good news and bad news of corporatecyber readiness

Christopher M. Brubaker ([email protected]) ofClark Hill concentrates his practice in complex commerciallitigation and insurance matters. He regularly provides advice tocompanies on insurance and cyberrisk issues related to transactionsand risk management and also advises companies on regulatorymatters involving insurance and environmental laws, rules andregulations. He frequently speaks and writes on cybersecuritymatters for legal and professional groups.