Need to comply with NAIC's Insurance Data Security Model Law?

We can help. 


NAIC Webinar

 The NAIC Insurance Data Security Model Law has the potential to affect the entire insurance industry – including third-party service providers with access to the data and systems of insureds and producers.

We recently joined members of the NAIC Cybersecurity Task Force on an ACC Webcast to discuss the Model Law in detail and to review strategies for defensible compliance. 

Missed the webcast? 

Follow the link below to access the recording. 

Elizabeth Kelleher Dwyer

Superintendent of Banking and Insurance

Rhode Island Department of Business Regulation

Jennifer McAdam

Legal Counsel

National Association of Insurance Commissioners

Rebecca Perry

Director of Strategic Partnerships

Jordan Lawrence 

NAIC Insurance Data Security Model Law 

Following the lead of NY's Department of Financial Services Cybersecurity Regulation, the National Association of Insurance Commissioners (NAIC) adopted its Insurance Data Security Model Law to establish insurance industry standards for data protection and security. 

South Carolina and Ohio are the first states to adopt the NAIC’s Data Security Model Law.  The model law will have nationwide consequences as other states rush to follow suit in 2019.  As of January 1, 2019, insurance companies in South Carolina must be compliant with the Model Law. 

We can help.

Compliance Requirements

  1.  DATA INVENTORY. Licensees must identify where Nonpublic Information exists (all locations, media types, applications and third-parties) to ensure adequate protection, access, retention and deletion.

  2.  DATA MINIMIZATION. Licensees must define and periodically evaluate the schedule for retention of Nonpublic Information and mechanism for its destruction when no longer needed.

  3.  VENDOR RISK PROFILING. Licensees must have oversight of third-party service provider arrangements, exercise due diligence and require providers to take steps to protect Nonpublic Information

Key Things to Know: 

  • 72-Hour Data Breach Notification Requirement

  • Board Oversight & Written Attestation 

  • Annual Submission to Insurance Commissioner

  • Document Proof of Compliance