Recently, a task force of the National Association of Insurance Commissioners (NAIC) offered a draft of their Insurance Data Security Model Law for public comment. The model law aims to establish not only exclusive standards within the insurance industry for data security, but also strict notification requirements if consumers’ personal information is breached. 

Additionally, under the model law, every insurer in an adopting state would need to have and post a privacy policy, implement a comprehensive and written information security program, conduct an investigation into any possible data breach, notify individuals as well as appropriate state and federal agencies of any actual breach, and contract for specific safeguards with any third-party service providers.

The model law anticipates penalties that would initially range from $500 to $10,000, but repeated violations could lead to a $50,000 fine or suspension of a state license. The task force hopes to receive comments by March 23, after which it will consider revisions and offer the model law for formal approval by NAIC’s Executive Committee.  State legislatures would then decide whether to adopt a version of the law for their state.

TIP: This proposed model law signals that state insurance regulators are very concerned about privacy and data security. Companies who might be covered by such a model law, if implemented in relevant states, may wish to submit comments about the model law by email before March 23.