To date, six states from Michigan to Alabama have adopted versions of the National Association of Insurance Commissioner’s model insurance data security law (the “NAIC model”).  The NAIC model generally requires entities licensed or authorized to operate under a state’s insurance laws to develop a cybersecurity program, investigate and report data breaches, and certify compliance with the law to the state’s insurance commissioner.  Connecticut joined the growing list of states that have adopted a version of the NAIC model, buried in a budget bill, when Governor Ned Lamont signed Public Act 19-117 (the “Act”), on June 26, 2019, effective in relevant part on October 1, 2020.[1]

The Act closely follows the NAIC model law with a few notable exceptions.  First, unlike the NAIC model, the Act has a broader initial exception for small businesses, but this exception, based on the number of employees, becomes more narrow in 2021.  The NAIC model provides an exception for licensees with fewer than 10 employees.  Under the Act, prior to Sept. 30, 2021, each licensee with fewer than 20 employees is excepted; after October 1, 2021, only licensees with fewer than 10 employees are excepted.[2]  Unlike laws passed in Ohio, Mississippi, and Alabama, the Act does not contain an exception for small businesses based on gross revenue or year-end total assets.

Perhaps most significantly, the Act provides that each licensee that “has established and maintains an information security program in compliance with statutes, rules and regulations of a jurisdiction approved by the commissioner pursuant to [the Act] shall be deemed to have satisfied” the cybersecurity program provisions of the Act.”[3]  According to the commissioner, at a recent meeting, this will include compliance with the NY DFS cybersecurity regulation, 23 NYCRR 500.

Finally, the Act requires notification to the commissioner “as promptly as possible but in no event later than three business days after the date of the cybersecurity event.”[4]  This is a departure from the NAIC model law requirement that notification be provided within 72 hours from a determination that a cybersecurity event has occurred.  In the Act as written, the triggering event is not the determination that an event has occurred, but the occurrence of the event itself.  Further, it changes the current notification deadline from “as soon as the event is identified, but not later than five (5) calendar days” under the Insurance Department Bulletin IC-25 to “as promptly as possible” but not later than three business days.

We anticipate that states will continue to adopt the NAIC model law in different forms moving forward and recommend that insurance licensees carefully monitor their passage and track their differences for compliance purposes.

For previous coverage of the NAIC model law and its adoption in other states, please click the links below.

Cybersecurity Update: NYDFS, NAIC, and What’s Going on in SC, OH, MI, and MS?

[1]              Public Act 19-117 is Connecticut’s omnibus budget bill, containing in excess of 400 sections addressing a wide variety of topics with different effective dates.  Section 230 containing the substance of the insurance data security provisions was initially supposed to be effective October 1, 2019, but the date was delayed until Oct. 1, 2020, by subsequent legislation: Public Act 19-196.  Further, as noted in the article, some portions of Section 230 phase out over time.

[2]              Public Act 19-117, § 230(c)(10)(A)(i).

[3]              Public Act 19-117, § 230(c)(10)(A)(vii).

[4]              Public Act 19-117, § 230(e).