The "Insurance Data Security Model Law," or NAIC Model Regulation 668, was developed by the National Association of Insurance Commissioners (NAIC) in the United States. This model law establishes cybersecurity standards and requirements for insurance companies to protect nonpublic information's confidentiality, integrity, and availability.
The NAIC Model 668 applies to licensees who are defined as persons licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the state but shall not include a purchasing group or risk retention group chartered and licensed in a state other than this state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
The NAIC Model Regulation 668 acts as a model or template that other U.S. states can use as a starting point for developing their own regulatory frameworks. As a result, each state may vary in terms of specific requirements and details of the regulation.
The NAIC Model Regulation 668 is one of the four primary model NAIC Laws. The other three laws are the model Insurance Information and Privacy Protection Act (#670), the model Privacy of Consumer Financial and Health Information Regulation (#672), and the model Standards for Safeguarding Customer Information Regulation (#673). These standards govern the collection, use, and disclosure of information in relation to insurance transactions made by insurance institutions, agents, or insurance support organizations. The NAIC Model Regulation 668 imposes cybersecurity obligations concerning personally identifiable information.
The NAIC Model 668 has been adopted by several US states, including Alabama, Connecticut, Delaware, Indiana, Iowa, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, New Hampshire, New York, North Dakota, South Carolina, Tennessee, Virginia, Wisconsin, and Ohio.
