States Enact Data Security Measures: Alabama

The National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (MDL-668) was finalized in October 2017 and subsequently passed in South Carolina, Ohio, Michigan, Mississippi, and Alabama. Moreover, the NAIC model borrowed heavily from the New York Department of Financial Services Cybersecurity Regulation (23 N.Y.C.R.R. Part 500). The NAIC’s 2017 passage of its model law set the stage for several state legislatures to include it on their legislative calendars beginning in 2018 and continuing today.

Michigan passed a law in December 2018, and Mississippi, which exempted insured producers from the data security requirements altogether, passed its law in early April 2019. Most recently, Alabama passed its version of the NAIC model in late April, and it was signed into law by Governor Kay Ivey on May 1, 2019.

Below are some of the highlights of the Alabama law.

Like most of the earlier versions, the Alabama version of the law was based on the NAIC model and the South Carolina Insurance Data Security Act. Alabama’s law applies to all “licensees,” which are defined as entities that are or should be licensed by the Alabama Department of Insurance. Unlike the Mississippi law, the Alabama version does apply to insurance agents/brokers. Under the Alabama law, licensees are required to develop and put in place an information security program within one year from the passage of the law, and licensees are required to report some types of cybersecurity events to the Alabama insurance commissioner.[1]

Unlike some of its equivalents in other states, the Alabama law also provides for civil penalties, including commissioner suspension or revocation of the applicable license, if licensees are found to be violating this law. Like the others, it also requires that licensees develop, implement, and maintain a written information security policy (WISP), and it expands the power of the insurance commissioner to monitor compliance with the law and take penal action in some instances of noncompliance. The law also changes the definition of personally identifiable information in Alabama.

Like most similar laws, the Alabama version provides for phased-in implementation over the course of one or two years, depending on the provision. Also like the other states’ versions, there are exemptions for certain categories of possible licensees. In Alabama, exemptions are available to licensees with fewer than 25 employees, less than $5 million in gross annual revenue, less than $10 million in year-end total assets, or those that can certify to the Alabama Insurance Department their compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

[1] Source:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s