Feb 22021

NAIC Insurance Data Security Law Annual Certifications: Is Yours Due By February 15?

Thomas D. Cunningham and Marriam Shah
, , , , , , ,

Most cybersecurity professionals are aware of the New York Department of Financial Service’s requirement imposed on DFS-licensed entities to certify their cybersecurity program’s compliance on an annual basis (by April 15th of each year), but less well known is that numerous other states impose similar requirements on regulated insurance entities and that deadline for many states is coming up on February 15, 2021.

The National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law has been adopted in at least 11 states, with several others (including New York) having implemented either older or similar laws or administrative guidance.  The NAIC Insurance Data Security Model Law “requires insurers and other entities licensed by a state department of insurance to develop, implement, and maintain an information security program based on its risk assessment….” See State Legislative Brief, NAIC, June 2020.

It also mandates that insurers and other subject to its provisions submit an annual certification of compliance with the law.  Of note, the deadline for such certification in five states – Alabama, Delaware, Mississippi, Ohio, and South Carolina – is February 15, 2021.  A sixth state – New Hampshire – follows fast on their heels with a certification deadline of March 1, 2021.  Once submitted, parties must maintain the records, schedules, and data supporting their annual certificates for a specified period of time (5 years, for example, in the case of Delaware.  See Del. Code Ann. Tit. 18 § 8604(i)(2).)

Please contact the Sidley privacy lawyer with whom you work, or the above, if you have any questions about the requirements or timing of such certifications.

Thomas D. Cunningham

Chicago

tcunningham@sidley.com

Marriam Shah

mshah@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.