The National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (MDL-668) was finalized in October 2017 and subsequently passed in South Carolina, Ohio, Michigan, and Mississippi. Moreover, the NAIC model borrowed heavily from the New York Department of Financial Services Cybersecurity Regulation (23 N.Y.C.R.R. Part 500). The NAIC’s 2017 passage of MDL-668 set the stage for several state legislatures to include it on their legislative calendars.
Michigan passed a law in December 2018, and Mississippi passed its law in early April 2019. Most recently, Alabama passed its version of the NAIC model in late April 2019.
Mississippi is the first state to exempt insurance producers from the Act altogether. Below are some of the highlights of the Michigan and Mississippi laws.
Michigan passed its version of the NAIC model on December 28, 2018. Like the Ohio version, the Michigan version of the law was based on the NAIC model and the South Carolina Insurance Data Security Act. Michigan’s law applies to all “licensees,” which are defined as entities that are or should be licensed by the Michigan Department of Insurance and Financial Services.
Under the Michigan law, licensees are required to:
- Adopt a comprehensive written information security program (WISP)
- Submit an annual certification of compliance to the Department of Insurance and Financial Services
- Provide accelerated regulatory reporting to the Department, in addition to other notification obligations if a cybersecurity event exceeds certain thresholds
The Michigan law is the same as that of South Carolina in most respects, particularly in terms of key definitions, required security measures, requirement of a WISP, the role of a board of directors, third-party service providers, incident response plan, and certifications and recordkeeping. However, the Michigan law provides licensees with ten (10) business days in which to notify the director of the Department (in contrast to South Carolina’s 72 hours and Ohio’s three business days). Like most similar laws, the Michigan version provides for phased-in implementation over the course of one or two years, depending on the provision.
Finally, Mississippi’s governor signed its law on April 3. Mississippi’s law differs from its predecessors in several notable ways, but most importantly for PIA National members, in Section 9, “insurance producers” are completely excepted from all obligations imposed by it.
As we continue to work with state legislators on the issue of data security, the Mississippi version will serve as momentum to propel forward the idea that the resources of insurance agencies around the country should not be subject to the NAIC data security model law.