The National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (MDL-668) was finalized in October 2017 and subsequently passed in South Carolina, Ohio, Michigan, Mississippi, Alabama, Delaware, and New Hampshire. The NAIC’s 2017 passage of its model law set the stage for several state legislatures to include it on their legislative calendars beginning in 2018 and continuing today.
Most recently, New Hampshire passed its version of the law; Governor Chris Sununu (R) signed its version into law on August 2. Below are some of the highlights of the New Hampshire law.
Like most of the earlier versions, the New Hampshire version of the law was based on the NAIC model and the South Carolina Insurance Data Security Act. New Hampshire’s law applies to all “licensees,” which are defined as people who are or should be licensed pursuant to the insurance laws of New Hampshire. Under the New Hampshire law, licensees are required to develop and put in place an information security program within one year from the date of passage of the law, and licensees are required to report some types of cybersecurity events to the New Hampshire insurance commissioner.
The New Hampshire law also allows the insurance commissioner to impose financial penalties against licensees found to be in violation; it also permits the commissioner to consider revocation of the applicable state license to punish a violation. Like the others, it also requires that licensees develop, implement, and maintain a written information security policy (WISP), and it provides the insurance commissioner with the authority to investigate the activities of licensees to ensure compliance with the new law.
Like most similar laws, the New Hampshire version provides for phased-in implementation over the course of one or two years, depending on the provision. Also like the other states’ versions, there are exemptions for certain categories of possible licensees.
However, the New Hampshire law provides a greater variety of possible exemptions than do most other states. Exemptions from some parts of the law are available to licensees with fewer than 20 employees, continuing care retirement communities (as defined by New Hampshire law), life settlement providers (as defined by New Hampshire law), and banks or credit unions (as defined by New Hampshire law) that are subject to and in compliance with the Gramm-Leach-Bliley Act (15 U.S.C. section 6801 et seq.), among other categories.
Finally, unlike most similar laws, the New Hampshire law provides varying degrees of safe harbor to licensees that are already complying with the Health Insurance Portability and Accountability Act of 1996 (commonly referred to as HIPAA) or the New York data security regulation on which MDL 668 is based (N.Y. Comp. Codes R. & Regs. Title 23, section 500, Cybersecurity Requirements for Financial Services Companies).
This post is part of a series on the adoption of the NAIC Insurance Data Security Model Law (MDL-668) in states across the country. To find posts on other states’ versions of MDL 668, click on “data security” under “Tags” on the right-hand side of the page.