Kentucky and Maryland Recently Joined Other States in Adopting NAIC Model Data Security Law

Kentucky and Maryland recently continued the trend of state insurance departments adopting some version of the National Association of Insurance Commissioners’ (“NAIC”) Insurance Data Security Model Law.  Kentucky Governor Andy Beshear signed House Bill 474 into law, and Maryland Governor Larry Hogan signed SB 207.

Like the Model Law on which both are based, the laws require licensees of their states to, among other things, maintain a comprehensive written information security program, perform a risk assessment to identify appropriateness of implementing certain technical safeguards such as multifactor authentication and encryption, develop an incident response plan, and require third party service providers to implement security measures.

The laws also require notice of certain cybersecurity events to relevant state insurance commissioners within three business days of a determination that a cybersecurity event has occurred.  “Cybersecurity Event” is defined as an “event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.”  The notification requirements vary slightly; but, generally, notification is required for a Cybersecurity Event if:

  1. the state is the Licensee’s state of domicile or home state or
  2. the Licensee believes the Nonpublic Information involves 250 or more Consumers and either (a) notice is required to any government body or other supervisory body or (b) the Cybersecurity Event has a reasonable likelihood of materially harming (i) any Consumer residing in the State or (ii) any material part of the normal operation of the Licensee.

The new Kentucky law takes effect on January 1, 2023.  Licensees will have one year from its effective date to implement many of its provisions, and two years from that date to implement a full information security program.

The new Maryland law takes effect on October 1, 2022, with certain grace periods for licensees to comply with the law’s requirements for a written information security program (by October 1, 2023) and to implement required service provider oversight (by October 1, 2024).

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.