National Association of Insurance Commissioners

Hunton Andrews Kurth insurance partner Michael Levine was recently interviewed by LegalTech News concerning Ohio’s recent adoption of the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The law, modeled after the New York State Department of Financial Services Cybersecurity Requirements for Financial Service Companies Act, seeks to provide a framework for states to address risks and develop cybersecurity guidelines for insurance companies. Ohio became the second state, after South Carolina, to adopt the model law. As Mike explained in the article, the statute provides policyholders with an added layer of protection against disclosure of sensitive and confidential information that may be held by insurers operating in the state.

A link to the article featuring Mike’s comments can be found here.

New cybersecurity rules for insurance companies licensed in South Carolina are set to take effect in part on January 1, 2019. The new law is the first in the United States to be enacted based on the data security model law drafted by the National Association of Insurance Commissioners. The law requires licensed insurance companies to notify state insurance authorities of data breaches within 72 hours of confirming that nonpublic information in the company’s (or a service provider’s) system was “disrupted, misused, or accessed without authorization.” The breach reporting requirement is in addition to notification obligations imposed under South Carolina’s breach notification law and applies if the insurance company has a permanent location in the state or if the breach affects at least 250 South Carolina residents, among other criteria. The 72-hour notice requirement takes effect January 1, 2019. Continue Reading Cybersecurity Rules for Insurance Companies to Take Effect in South Carolina