Information data security has been a hot topic for the insurance industry in recent years, particularly the development of information security programs (“ISPs”) by insurers, producers, and other insurance licensees. New York was the first state to adopt insurance data security requirements in 2017. Since then, 21 states, including Wisconsin, have adopted some form of insurance data security law, generally mirroring the National Association of Insurance Commissioners Insurance Data Security Model Law (the “Model Law”), which was also promulgated in 2017. Additionally, at least two other jurisdictions have insurance data security laws pending as of November 2022 (Pennsylvania and the District of Columbia).
One of the primary requirements of the New York regulations and the Model Law is that licensees (generally defined as all persons licensed or required to be licensed under the insurance laws of, and domiciled in, the particular state) must create and implement an ISP. Under the Model Law, ISPs are required to:
(1) Protect the security and confidentiality of Nonpublic Information and the security of the Information System;
(2) Protect against any threats or hazards to the security or integrity of Nonpublic Information and the Information System;
(3) Protect against unauthorized access to or use of Nonpublic Information, and minimize the likelihood of harm to any Consumer; and
(4) Define and periodically reevaluate a schedule for retention of Nonpublic Information and a mechanism for its destruction when no longer needed.
Model Law Section 4(B). Licensees must design their ISPs commensurate with the ..
Support the originator by clicking the read the rest link below.
