Feb 22021

NAIC Insurance Data Security Law Annual Certifications: Is Yours Due By February 15?

Thomas D. Cunningham and Marriam Shah
, , , , , , ,

Most cybersecurity professionals are aware of the New York Department of Financial Service’s requirement imposed on DFS-licensed entities to certify their cybersecurity program’s compliance on an annual basis (by April 15th of each year), but less well known is that numerous other states impose similar requirements on regulated insurance entities and that deadline for many states is coming up on February 15, 2021.

The National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law has been adopted in at least 11 states, with several others (including New York) having implemented either older or similar laws or administrative guidance.  The NAIC Insurance Data Security Model Law “requires insurers and other entities licensed by a state department of insurance to develop, implement, and maintain an information security program based on its risk assessment….” See State Legislative Brief, NAIC, June 2020.

It also mandates that insurers and other subject to its provisions submit an annual certification of compliance with the law.  Of note, the deadline for such certification in five states – Alabama, Delaware, Mississippi, Ohio, and South Carolina – is February 15, 2021.  A sixth state – New Hampshire – follows fast on their heels with a certification deadline of March 1, 2021.  Once submitted, parties must maintain the records, schedules, and data supporting their annual certificates for a specified period of time (5 years, for example, in the case of Delaware.  See Del. Code Ann. Tit. 18 § 8604(i)(2).)

Please contact the Sidley privacy lawyer with whom you work, or the above, if you have any questions about the requirements or timing of such certifications.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Thomas D. Cunningham

Chicago

tcunningham@sidley.com

Marriam Shah

mshah@sidley.com

You might also like
EU Moving Closer to an AI Act?

On 24 October 2023, the European Parliament and Member States concluded a fourth round of trilogue discussions on the draft Artificial Intelligence Regulation (AI Act). Policymakers agreed on provisions to classify high-risk AI systems and also developed general guidance for the use of “enhanced” foundation models. However, the negotiations did not lead to substantial progress on provisions for prohibitions in relation to the use of AI by law enforcement. The next round of trilogue discussions will take place on 6 December 2023.

Digital Health and Artificial Intelligence: New Developments From President Biden’s Executive Order

The Biden administration’s executive order issued on October 30, 2023, includes a number of initiatives relating to the development and use of artificial intelligence (AI), including in healthcare. As AI becomes a pivotal point of innovation for the healthcare industry, digital health healthcare technology developers, private equity sponsors, and other key industry stakeholders should track the regulatory frameworks certain to be developed following this executive order to better inform strategies for developing drugs and devices and assessing deals involving AI.

President Biden Signs Sweeping Artificial Intelligence Executive Order

On October 30, 2023, President Joe Biden issued an executive order (EO or the Order) on Safe, Secure, and Trustworthy Artificial Intelligence (AI) to advance a coordinated, federal governmentwide approach toward the safe and responsible development of AI. It sets forth a wide range of federal regulatory principles and priorities, directs myriad federal agencies to promulgate standards and technical guidelines, and invokes statutory authority — the Defense Production Act — that has historically been the primary source of presidential authorities to commandeer or regulate private industry to support the national defense. The Order reflects the Biden administration’s desire to make AI more secure and to cement U.S. leadership in global AI policy ahead of other attempts to regulate AI — most notably in the European Union and United Kingdom and to respond to growing competition in AI development from China.