The insurance industries in South Carolina and Rhode Island may soon be required to adopt formal data security safeguards, a movement sparked by the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The model law, which NAIC adopted in October 2017, establishes minimum standards for data security applicable to insurance providers. It is part of a growing body of state-level cybersecurity legislation, including the New York State Department of Financial Services regulation issued in March 2017. We blogged about the model law back in January.

Legislatures in South Carolina and Rhode Island have taken steps to enact the model law, with South Carolina furthest along in the process. Both houses of the South Carolina legislature have passed the bill, called the South Carolina Insurance Data Security Act, without any changes from the NAIC’s model version. It is currently awaiting the Governor’s signature. If passed, South Carolina would be the first state to adopt the model law.

Rhode Island is next in line. There, the bill has been introduced in the state House and Senate but held for further study. And other states are likely to follow suit. Nevada and Vermont, for example, have indicated interest in introducing the model law during the 2018 legislative session.

Of course, it is still too early to tell whether the model law will be widely adopted. Despite movement in state legislatures, several key questions about the legislation remain unanswered, including whether states will support passing cybersecurity legislation that applies only to insurance entities and whether NAIC will make the model law an accreditation requirement, thereby forcing states to pass similar versions of the bill.

Companies should keep an eye on this important and evolving area of law. We will continue to report on any new developments.