What To Know About NAIC Model 668 : The Insurance Data Security Model Law

The Insurance Data Security Model Law is one of the many model laws developed by the National Association of Insurance Commissioners (NAIC) - a US-based non-profit standard-setting organization governed by the chief insurance regulators from the 50 states, the District of Columbia, and five US territories. The law establishes standards for data security, investigations, and notifications that must be issued to several stakeholders in the aftermath of a Cybersecurity Event.

The law places several obligations upon the regulated entities, such as developing a comprehensive information security program, carrying out investigations related to a possible Cybersecurity Event, and appropriately notifying the affected parties.

Several US states, such as Alabama, Connecticut, Delaware, Indiana, Iowa, Louisiana, Maine, Maryland, Michigan, and others have adopted Model 668.

Read on to learn more about who needs to comply with the Act, notable exceptions, obligations related to notifications about a Cybersecurity Event, and the best tools to leverage in pursuit of compliance with Model 668.

Who Needs to Comply with Model 668

Application

The law applies to any individual or any non-governmental entity, including but not limited to any non-governmental partnership, corporation, branch, agency, or association licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the state insurance laws (Licensees).

Exception

The law does not apply to a purchasing group or risk retention group chartered and licensed in another state or a Licensee that acts as an assuming insurer that is domiciled in another state or jurisdiction.

Definitions of Key Terms

Authorized Individual

This refers to an individual known to and screened by the Licensee and determined to be

necessary and appropriate to have access to the non-public information held by the Licensee and its information systems.

Consumer

This refers to an individual, including but not limited to applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders, who is a resident of the state and whose Non-public Information is in a Licensee’s possession, custody, or control.

Cybersecurity Event

This refers to an incident that results in unauthorized access to, misuse, or disruption of an information system. However, it excludes the unauthorized acquisition of Encrypted Nonpublic Information if the encryption process or key is not also acquired, released, or used without authorization. Additionally, a Cybersecurity Event does not include situations where the Licensee determines that accessed Non-public Information by an unauthorized person has not been used or released and has been returned or destroyed.

Information Security Program

This refers to administrative, physical, and technical safeguards that a licensee uses to access, collect, distribute, process, protect, use, transmit, or dispose of or otherwise handle non-public information.

Non-Public Information

This refers to all information that cannot be classified as publicly available and falls into the following categories:

• Business-related information of a Licensee, the unauthorized access, tampering, or disclosure of which would materially harm the business, operations, or security of the Licensee;
• Information related to a consumer, identifiable by name, number, personal mark, or other identifier, combined with one or more of the following data elements:
  • Social security number;
  • Account number, credit/debit card information;
  • Driving license number or non-driver identification card number;
  • Any security code, access code, or password providing access to a Consumer’s financial account;
  • Biometric records.
• Information or data, excluding age or gender, created or derived from a health care provider or a Consumer that relates to:
  • The past, present, or future physical, mental, or behavioral health or condition of any Consumer or their family member;
  • The provision of health care to any Consumer; and
  • Payment for the provision of health care to any Consumer.

Publicly Available Information

This refers to any information that a Licensee has a reasonable basis to believe is lawfully made available to the general public. This includes information from federal, state, or local government records, widely distributed media, or disclosures mandated by applicable laws.

To establish this reasonable belief, a Licensee must take steps to confirm:

• That the information is of a type available to the general public; and
• Whether a Consumer can direct that the information not be made available to the general public and, if so, that such Consumer has not done so.

Obligations for the Licensee

Information Security Program

Implementation of a Security Program

A Licensee is required to develop, implement, and maintain an Information Security Program appropriate to the nature and scope of its activities, including its use of third-party service providers and the sensitivity of the information it uses. The developed Information Security Program must be written in a comprehensive format based on risk assessments and must contain administrative, technical, and physical safeguards for the protection of the Non-public Information and the Licensee’s Information System.

However, the following entities are exempt from the requirements related to the Information Security Program:

• Licensees with fewer than ten employees, including independent contractors;
• A Licensee subject to HIPAA that has established and maintains an Information Security Program pursuant to it provided it is compliant with the requirements of HIPAA and can submit a written statement certifying its compliance;
• An employee, agent, representative, or designee of a Licensee, who is a Licensee, to the extent that the employee, agent, representative, or designee is covered by the Information Security Program of the other Licensee.

Objective of the Information Security Program

The Information Security Program must be designed to adequately:

• Protect the security and confidentiality of all non-public information as well as the security of the information system;
• Protect against all threats or hazards to the security and confidentiality of all non-public information as well as the security of the information system;
• Protect against any unauthorized access that may pose a threat to the security and confidentiality of all non-public information as well as the security of the information system;
• Define and re-evaluate the timelines related to the retention of non-public information and establish a mechanism for its destruction when no longer needed.

Risk Assessments

The law requires a Licensee to:

• Designate dedicated personnel to act on behalf of the Licensee responsible for the Information Security Program;
• Identify reasonably foreseeable internal and external threats to the Information Security Program that could result in unauthorized access and result in disclosure, misuse, alteration, or destruction of non-public information;
• Assess the likelihood of identified threats and the potential damage they could cause;
• Assess the sufficiency of the existing policies, procedures, and other safeguards in place, considering areas such as employee training, Information Systems, and response to system failures. to mitigate such risks; and
• Implement safeguards based on ongoing risk assessments and annually assess the effectiveness of key controls, systems, and procedures.

Risk Management

Once a Licensee has carried out a risk assessment, it must:

• Design its Information Security Program to mitigate all identified risks in proportion to the licensee’s size, the complexity of its activities, including the use of third-party service providers, and the sensitivity of non-public information used by the Licensee or in its possession.
• Determine the best security measures necessary to ensure the effectiveness of the Information Security Program. These measures can include the following:
  • Place access controls on information systems, with access restricted to authorized individuals only;
  • Identification and management of all data, devices, systems, and services that serve a business purpose and their degree of importance to the organization’s business objectives and organization’s risk strategy;
  • Protect Nonpublic Information during transmission over an external network and when stored on portable devices through encryption or other suitable means;
  • Restrict access to physical locations to authorized individuals only;
  • Adopt secure development practices for in-house applications and establish procedures to evaluate, assess, or test the security of externally developed applications;
  • Implement multi-factor authentication;
  • Modify the Information System in alignment with the licensee’s Information Security Program;
  • Conduct regular tests and monitor all systems for failed attempts at access;
  • Develop audit trails to map all Cybersecurity Events;
  • Implement appropriate measures to protect all non-public information against damage as a result of environmental hazards such as fire or water damage;
  • Develop secure and safe data disposal practices.

• Include cybersecurity risks within the organization’s enterprise risk management process.
• Remain vigilant about emerging threats or vulnerabilities and employ appropriate security measures when sharing information, taking into account the nature and type of the shared information.;
• Conduct regular employee cybersecurity awareness training sessions.

Board of Directors Oversight

If a Licensee has a board of directors, the board must:

• Require the Licensee to undertake appropriate measures to develop, implement, and maintain an Information Security Program;
• Require the Licensee to report the following information annually:
  • Status of the Information Security Program and Licensee’s compliance with the Act;
  • Significant matters related to the Information Security Program, including risk assessment, management decisions, Third-Party Service Provider arrangements, testing results, Cybersecurity Events or violations, management responses, and recommendations for program changes

Third-Party Arrangements

A Licensee must ensure the following measures in relation to any third-party service arrangements:

• Exercise due diligence in selecting such third-party service providers;
• Require all such third-party service providers to implement similarly appropriate technical, physical, and administrative measures to protect and secure the Information Systems and all non-public information held by the third-party service provider.

Program Adjustments

A Licensee is required to continually monitor, assess, and adjust the Information Security Program as needed to align with changes in technology, the sensitivity of Nonpublic Information, internal or external threats, and modifications in the Licensee's business arrangements, including mergers, acquisitions, alliances, joint ventures, outsourcing arrangements, and changes to Information Systems.

Incident Response Plan

A key facet of the Information Security Program is establishing a clear and well-written incident response plan to help an organization proactively respond and recover from a Cybersecurity Event.

Such a plan must address the following areas:

• The internal procedure to respond to a Cybersecurity Event;
• The goal of the incident response plan;
• Clear delineation of roles, responsibilities, and decision-making authority levels;
• Protocols for external and internal communications and information sharing;
• All documentation and reporting related to Cybersecurity Events and other response activities;
• Identification of all remediation measures required to address weaknesses in the Information System;
• Documentation and reporting procedures for Cybersecurity Events and related incident response activities;
• A consistent evaluation and revision of the incident response plan in the aftermath of a cybersecurity event.

Annual Certification

Each insurer is required to submit a written statement to the Commissioner by February 15 of each year certifying that they are still compliant with the requirements set forth by the law. The insurers must retain all records, schedules, and data supporting their request for certification for five years. These records must include all identification and remedial efforts planned by an organization in addition to plans for updates and redesigns to an organization’s internal systems or processes.

Investigation of a Cybersecurity Event

If and when a Licensee learns of a Cybersecurity Event occurring to the Licensee or any of their third-party vendors acting on their behalf, the Licensee must promptly conduct a thorough investigation.

Such an investigation must determine as much of the following events as possible:

• Whether a Cybersecurity Event has occurred;
• The nature and scope of the Cybersecurity Event;
• Identification of all non-public information that may have been compromised as a result of the Cybersecurity Event;
• Undertake reasonable measures to restore any compromised security of the Information Systems to prevent future unauthorized access or use of non-public information in the Licensee’s possession.

If a Cybersecurity Event has occurred in a system maintained by a third-party service provider, the Licensee must either undertake the aforementioned steps or verify and document that the Third-Party Service Provider has completed those steps.

All such records must be maintained for a period of at least five years from the date of the Cybersecurity Event. Such records must be made available to the Commissioner upon request.

Notification of a Cybersecurity Event

A licensee is expected to be proactive and precise in the event of a cybersecurity incident. The Commissioner must be informed of such an event within 72 hours of the occurrence of the Cybersecurity Event. The Licensee can determine that the incident is a Cybersecurity Event if any of the following criteria are met:

• The state in which the event has occurred is the Licensee’s state of domicile in the case of an insurer or is the Licensee’s home state in the case of a producer;
• The Licensee has reasons to believe the Non-public Information involved pertains to 250 or more consumers in this state and:
  • The Licensee is required to send a notice to a government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law or
  • The event is likely to cause material harm to:
    • Consumers within the state; or
    • Any material part of the normal operations of the Licensee.

Once it has been established that a Cybersecurity Event has occurred, the Licensee must provide the Commissioner with as much of the following information as quickly as possible in electronic form and maintain a continuous obligation to update and supplement notifications regarding the Cybersecurity Event:

• Date of the Cybersecurity Event;
• Description of how the information was exposed, lost, stolen, or breached, including the roles of any Third-Party Service Providers;
• How the Cybersecurity Event was discovered;
• Whether any lost, stolen, or breached information has been recovered and if so, how;
• Identity of the source of the Cybersecurity Event;
• Whether the Licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when such notification was provided;
• Specific types of data acquired without authorization e.g. medical, financial, or types of information allowing consumer identification;
• The period during which the information system was compromised by the Cybersecurity Event;
• Total consumers impacted by the Event. The Licensee may provide their best estimate in case real numbers aren’t available;
• Results of any internal review regarding lapses or adherence to automated controls and internal procedures;
• Description of all remedial measures undertaken to address the Cybersecurity Event;
• Copy of the Licensee’s privacy policy and a written statement outlining the steps the Licensee plans to take to investigate the matter;
• Contact information of the personnel familiar with the Cybersecurity Event and authorized to act on behalf of the Licensee.

The notifications sent to consumers must comply with any relevant regulatory data breach requirements the Licensee is subject to.

In case a Cybersecurity Event occurs in a system maintained by a third-party service provider, the Licensee must undertake all the aforementioned steps related to sending notifications to affected parties. The notification deadline would begin from the day the third-party service provider officially notifies the Licensee of the Cybersecurity Event or when the Licensee otherwise gains actual knowledge of the event, whichever occurs first.

In case of a Cybersecurity Event involving insurers and reinsurers, the following steps must be taken:

• If the event involves non-public information used by the Licensee acting as an insurer, the Licensee is obligated to notify the affected ceding insurers as well as the Commissioner of the event within 72 hours;
• The ceding insurers with a direct contractual relationship with the Consumers must then fulfill consumer notification requirements and any other notification requirements related to Cybersecurity Events under the law. If the event involves non-public information used by a third-party service provider of a licensee that is an assuming insurer, the Licensee must notify the ceding insurers and the Commissioner of the event within 72 hours;
• The ceding insurers with a direct contractual relationship with the Consumers must then fulfill consumer notification requirements and notification requirements related to a Cybersecurity Event under the Act.

In the event that a Cybersecurity Event occurs, which impacts Nonpublic Information held by an insurer or its Third-Party Service Provider, and a consumer accessed the insurer's services through an independent insurance producer, the insurer must notify the producers of record for all affected Consumers as soon as practicable as directed by the Commissioner. The insurer is exempt from this obligation if it lacks current producer of record information for any individual Consumer.

Regulatory Authority

The Commissioner is empowered with the authority to examine and investigate any licensee to determine if they have violated any provision of the law. This authority is supplementary to the Commissioner's existing powers under relevant statutes governing the investigation or examination of insurers.

If there is reason to believe that a Licensee has violated the law within the state, the Commissioner can take necessary actions to enforce its provisions.

How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Additionally, it provides organizations access to critical solutions that can help in compliance with all major data regulations.

In this case, dedicated modules such as Assessment Automation, Vendor Management, and Privacy Notice Management allow an organization to seamlessly integrate and address various obligations they are subject to per Model 668, assess compliance gaps, and mitigate any associated risks.

Request a demo today and learn how Securiti can help you comply with Model 668 both effectively and efficiently.