NAIC Model 673: Standards for Safeguarding Customer Information Model Regulation

Customers are increasingly concerned and vigilant about their sensitive data. Naturally, they expect any organization they trust with such data to undertake every possible measure on their part to protect such data.

The Standards for Safeguarding Customer Information Model Regulation (Regulation) is a set of guidelines issued by the National Association of Insurance Commissioners (NAIC) - a US-based non-profit standard-setting organization governed by the chief insurance regulators from the 50 states, the District of Columbia, and five US territories. The Regulation provides vital standards that organizations can adopt to guarantee the confidentiality and integrity of all non-public personal information of their customers.

Several US states, including Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Florida, and others, have adopted the Regulation so far.

Read on to learn more about what obligations it places on organizations and the best tools that can be leveraged to address these obligations.

Who Needs to Comply with Model 673

The Regulation establishes standards for the insurers licensed, authorized, or registered under state insurance laws (licensees) to develop and implement administrative, technical, and physical safeguards for protecting customer information's security, confidentiality, and integrity pursuant to sections 501, 505(b), and 507 of the federal Gramm-Leach-Bliley Act.

Additionally, the Regulation also applies to insurance agents, brokers, and third-party service providers that work with such organizations and individuals and have access to the non-public personal information of customers.

Definitions of Key Terms

Here are definitions for some critical terms mentioned in the Regulation:

Customer Information

Any non-public personal information about a customer in any electronic or non-electronic format maintained by or on behalf of a licensee.

Licensee

Licensee refers to all licensed insurers, producers, and other persons licensed or required to be licensed, authorized, or required to be authorized, registered, or required to be registered. This does not include a purchasing group or an unauthorized insurer.

Service Provider

A service provider maintains, processes, or otherwise is permitted access to customer information by providing services directly to the licensee.

Obligations for Organizations

Here are the obligations of each licensee per the Regulation:

Information Security Program

Licensees are required to implement a comprehensive information security program. This program should include all relevant administrative, technical, and physical safeguards for the protection of customer information. All such administrative, technical, and physical safeguards should be appropriate per the size and complexity of the licensee’s scope of activities.

Additionally, the information security program should be designed in such a way that it:

• Ensures both the security and confidentiality of all customer information;
• Protects against any anticipated threats or hazards to the security or integrity of the customer information;
• Protects against any unauthorized access to or use of information that may harm or cause inconvenience to the customer.

The licensees must also monitor, evaluate, and adjust their information security program owing to any changes in technology, the sensitivity of customer information, the emergence of new internal and external threats to information, and their own business situations such as mergers, acquisitions, alliances, and joint ventures, that may directly impact the customer information system.

Risk Assessment

The Regulation requires the licensees to:

• Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosures, misuse, alteration, or destruction of customer information or customer information systems;
• Assess the likelihood and potential impact of these threats, considering the sensitivity of customer information;
• Assess the sufficiency of existing policies, procedures, customer information systems, and other safeguards to manage and control risks.

Risk Management

The licensees are required to:

• Design an information security program to manage identified risks proportionate to the sensitivity of the information, considering the complexity and extent of the licensee’s operations;
• Train staff to be as proficient as possible with the information security program;
• Conduct regular testing or ongoing monitoring of the critical controls, systems, and procedures of the information security program. The risk assessment should determine the appropriate frequency of such tests.

Service Provider Arrangements

The Regulation mandates the licensees to:

• Exercise appropriate due diligence in selecting their service providers;
• Obligate all service providers to implement appropriate measures designed to meet the objectives of the Regulation. Additionally, based on the risk assessment, the licensees must ensure that service providers fulfill these obligations through appropriate verification steps.

How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance solutions.

These solutions, such as vendor risk assessment, breach management, access governance, assessment automation that automate the records of processing (RoPA) reports, privacy impact assessments, and data protection impact assessments, will prove vital for any organization aiming to comply with the Standards for Safeguarding Customer Information Model Regulation.

Request a demo today and learn more about how Securiti can help you in this compliance journey.