Data Security: The NAIC Model Laws

Elaine is a Senior Specialist at ReSource Pro Compliance

On January 1, 2023, Iowa and Vermont became the latest states to begin enforcing their versions of the NAIC’s Insurance Data Security Model Law (MDL-668). Maryland rolls out its initial requirements in October 2023. These jurisdictions join the 18 other states that have implemented (or are in the process of implementing) such regulations.

While high-profile hacks and a general rise in cybercrime levels continue to call attention to the need for robust data security programs, it’s important to understand that MDL-668 isn’t the only model law intended to improve data security for the insurance industry.

Insurance Information and Privacy Protection Model Act (MDL-670)

First approved in October 1992, this model law establishes standards for the collection, use, and disclosure of information gathered in connection with insurance transactions. The goal of the law is to minimize the intrusive nature of the data collection process. It also allows individuals greater control over data pertaining to them.

Key provisions of the model law include limitations and conditions for the use of:

  • Pretext interviews,
  • Marketing and research surveys,
  • Investigative consumer reports, and
  • Previous adverse underwriting decisions.

Generally, these guidelines ensure that applicants or policyholders understand who is collecting information about them and whether or how that information may influence underwriting decisions.

The law also outlines standards and procedures for:

  • Notifying applicants/policyholders regarding insurance information practices,
  • Authorizing the disclosure of information,
  • Disclosing personal information,
  • Accessing personal information held by insurers/producers,
  • Correcting, amending, and/or deleting such information, and
  • Explaining/documenting adverse underwriting decisions.

While these procedures vary in detail, they include several common features such as requiring timely, written communication; placing time limits on the use of information; and documentation of the sourcing of information. Under these protections, insureds play an active role in verifying the integrity of the information used to make underwriting decisions concerning them. The NAIC’s Privacy Protections (H) Working Group is currently working to revise this model law. This is in response to the exponential increase in the amount of information being collected. It plans to complete the revision process by the 2023 Summer National Meeting.

Privacy of Consumer Financial and Health Information Regulation (MDL-672)

This 2017 model law specifically addresses the standards and procedures for the collection and use of nonpublic personal health and financial information in making underwriting and claims decisions.

The law mandates the following communications to consumers:

  • Initial privacy notices
  • Annual privacy notices
  • Opt-out notices
  • Authorizations to disclose nonpublic information

MDL-672 provides details requirements for the content and form of these communications. It also addresses the method of their delivery. Oral communication, either in person or by telephone, is NOT sufficient. Appendix A offers sample language, while Appendix B offers the Federal Model Privacy Form as a template. Insurance organizations do not have to use this template, however, if their chosen privacy form meets the criteria set out in Section 7.

The model law also imposes limits on the disclosure of nonpublic financial information, on the redisclosure or reuse of such information, and on sharing account numbers for marketing purposes. It also sets out a “reasonability” standard for opt-out procedures and lists various exceptions to the opt-out requirements.

Lastly, NAIC explains how its model law relates to other state laws governing data security and consumer privacy and to federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Fair Credit Reporting Act (FCRA).

Like MDL-670, the Privacy of Consumer Financial and Health Information Regulation is currently under review by the Privacy Protections (H) Working Group.

Updates to the Insurance Data Security Model Law

While MDL-668 is not currently under review, it’s worth noting that the New York DFS recently proposed significant amendments to its landmark cybersecurity regulation, 23 NYCRR 500. This law profoundly influenced the scope and language of the NAIC’s model law. The proposed amendment creates “tiers” of licensed entities to better reflect the challenges smaller businesses face in complying with the law. It also enhances governance requirements; requires additional security controls; and heightens the standards for risk and vulnerability assessments, incident response and recovery planning, and employee training. It remains to be seen whether the state legislature will adopt the amendment; and if so, what influence this change might have on the model law or the versions of it adopted by 21 states.

For more information on data security laws and other regulatory changes impacting the insurance industry, visit our Newsroom. And for help developing and implementing a comprehensive compliance strategy, visit our compliance page.