Feb 22021

NAIC Insurance Data Security Law Annual Certifications: Is Yours Due By February 15?

Thomas D. Cunningham and Marriam Shah
, , , , , , ,

Most cybersecurity professionals are aware of the New York Department of Financial Service’s requirement imposed on DFS-licensed entities to certify their cybersecurity program’s compliance on an annual basis (by April 15th of each year), but less well known is that numerous other states impose similar requirements on regulated insurance entities and that deadline for many states is coming up on February 15, 2021.

The National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law has been adopted in at least 11 states, with several others (including New York) having implemented either older or similar laws or administrative guidance.  The NAIC Insurance Data Security Model Law “requires insurers and other entities licensed by a state department of insurance to develop, implement, and maintain an information security program based on its risk assessment….” See State Legislative Brief, NAIC, June 2020.

It also mandates that insurers and other subject to its provisions submit an annual certification of compliance with the law.  Of note, the deadline for such certification in five states – Alabama, Delaware, Mississippi, Ohio, and South Carolina – is February 15, 2021.  A sixth state – New Hampshire – follows fast on their heels with a certification deadline of March 1, 2021.  Once submitted, parties must maintain the records, schedules, and data supporting their annual certificates for a specified period of time (5 years, for example, in the case of Delaware.  See Del. Code Ann. Tit. 18 § 8604(i)(2).)

Please contact the Sidley privacy lawyer with whom you work, or the above, if you have any questions about the requirements or timing of such certifications.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Thomas D. Cunningham

Chicago

tcunningham@sidley.com

Marriam Shah

mshah@sidley.com

You might also like
SEC’s Cybersecurity Disclosure Rules Are Here. Is Your Company Ready to Comply?

Companies are facing more attacks on their information systems. And, as their cyber risk skyrockets, the SEC has stepped in with new regulations, telling businesses what to disclose about these incidents — and requiring detailed disclosures on cyber risk management more broadly. With the deadline for compliance fast approaching, businesses are scrambling to mitigate their legal risk and comply with regulations that some say may be an overreach.

New EU FIDA Proposal: How Does This Affect GDPR?

The European Commission issued the Financial Data Access Act (FIDA) proposal in June this year. FIDA will create a legislative framework that aims to “bring payments and the wider financial sector into the digital age” by facilitating the sharing of and access to customer financial data (whether of businesses or consumers).

Schumer Framework May Forge U.S. Model on AI Governance

*This article first appeared on Law360 on September 5, 2023.

This summer, Senate Majority Leader Chuck Schumer proposed a distinctive new framework to develop a comprehensive artificial intelligence regulatory policy that is intended to be adamantly bipartisan and committed, as a first principle, to preserving innovation and intellectual property rights.