The National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (MDL-668) was finalized in October 2017 and subsequently passed in South Carolina, Ohio, Michigan, Mississippi, and Alabama. Moreover, the NAIC model borrowed heavily from the New York Department of Financial Services Cybersecurity Regulation (23 N.Y.C.R.R. Part 500). The NAIC’s 2017 passage of its model law set the stage for several state legislatures to include it on their legislative calendars beginning in 2018 and continuing today.
Michigan passed a law in December 2018, and Mississippi, which exempted insured producers from the data security requirements altogether, passed its law in early April 2019. Most recently, Alabama passed its version of the NAIC model in late April, and it was signed into law by Governor Kay Ivey on May 1, 2019.
Below are some of the highlights of the Alabama law.
Like most of the earlier versions, the Alabama version of the law was based on the NAIC model and the South Carolina Insurance Data Security Act. Alabama’s law applies to all “licensees,” which are defined as entities that are or should be licensed by the Alabama Department of Insurance. Unlike the Mississippi law, the Alabama version does apply to insurance agents/brokers. Under the Alabama law, licensees are required to develop and put in place an information security program within one year from the passage of the law, and licensees are required to report some types of cybersecurity events to the Alabama insurance commissioner.
Unlike some of its equivalents in other states, the Alabama law also provides for civil penalties, including commissioner suspension or revocation of the applicable license, if licensees are found to be violating this law. Like the others, it also requires that licensees develop, implement, and maintain a written information security policy (WISP), and it expands the power of the insurance commissioner to monitor compliance with the law and take penal action in some instances of noncompliance. The law also changes the definition of personally identifiable information in Alabama.
most similar laws, the Alabama version provides for phased-in implementation
over the course of one or two years, depending on the provision. Also like the
other states’ versions, there are exemptions for certain categories of possible
licensees. In Alabama, exemptions are available to licensees with fewer than 25
employees, less than $5 million in gross annual revenue, less than $10 million
in year-end total assets, or those that can certify to the Alabama Insurance
Department their compliance with the Health Insurance Portability and Accountability
Act of 1996 (HIPAA).
 Source: https://lewisbrisbois.com/blog/category/data-privacy-cyber-security/legislative-alert-alabama-passes-heightened-cybersecurity-standards-for-the?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-Original