One Ring to Rule Them All

With large cyber breaches like Instagram, Target, and Equifax it isn’t a surprise that the National Association of Insurance Commissioners (NAIC) issued the Data Security Model Law (MDL-668) (the “Model Law”).  The Model Law heavily borrows from the New York Department of Financial Services (NYDFS) cybersecurity regulations that went into effect on March 1, 2017. NYDFS cyber regs imposed proactive cybersecurity regulations on “covered entities” doing business in New York.  Covered entities under the NYDFS cybersecurity regulations include insurance companies, banking institutions, trust companies, budget planners, check cashers, credit unions, and (thanks to Equifax) credit monitoring companies.

The aptly named Model Law is geared to bring more consistency and structure in the patchwork of cybersecurity guidelines. Once enacted, the Model Law functions much like its NYDFS cousin requiring organizations to take documented and concrete steps toward cyber-maturity.

The stated purpose of the Model Law is to “establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…”.  And with the establishment of this Model Law, states have started to fall in line. South Carolina, Ohio and Michigan have all passed laws that are practically carbon copies of the Model Law, with some minor but notable exceptions, outlined below.

Breach notification requirements vary state-by-state and regulation by regulation.  So it should not come as a surprise to anyone that one difference in the adoption of the Model Law, even as between the three states that have already adopted it, is the breach notification requirements. Generally, the triggering event is the same.  The covered entity suffers a data breach, either security incident or “event”. In South Carolina, Ohio and Michigan, the state laws require the covered entity to notify their state insurance regulator if the event affects 250 or more state residents.  So all three states have a threshold number of people that need to be affected, which is not uncommon. For example, under HIPAA, a covered entity only has to report an incident if more than 500 patient records are compromised.

However, unlike HIPAA that gives a covered entity 60 days to notify, South Carolina requires notice to the state insurance director within 72 hours of detecting a cybersecurity event. Ohio is a little more lenient giving entities three (3) business days, while Michigan is the most lenient allowing ten (10) business days to report.  (For those of you who have been following international data privacy, the South Carolina timeline mirrors the timeline for notification under the GDPR).

One point of particular interest is that Ohio’s law continues the state tradition of a “safe harbor” provision.  The “safe harbor” allows licensees that are in compliance with the law to have an affirmative defense against any tort claim.  This is similar to Ohio’s general breach notification law, which has a substantially similar provision.

In addition to the breach notification provisions, the Model Law (and the 3 state versions) also have interesting, proactive requirements that echo the NYDFS cyber regulation.   Covered entities are required to perform ongoing risk assessments. They must have written information security programs and establish organization-wide cybersecurity governance with oversight by the board of directors. In addition, covered entities are required to perform, and be able to prove, that they have a vendor management program.  They must demonstrate oversight into third-party service providers. Covered entities must also be able to show that they have a written breach response plan. And, just like NYDFS, covered entities are required to certify their compliance.

The Model Law is a step in the right direction in terms of developing and maintaining comprehensive and consistent security programs.  However, it is yet another example of the siloed approach that we take to security and privacy domestically. Other than the California Consumer Privacy Act (“CCPA“) and the European Union’s General Data Protection Regulation (“GDPR“), both of which are not broken down by industry , the US approach is to only look at privacy and security on an industry-by-industry basis.  

You have HIPAA for healthcare and NYDFS for financial institutions, and now the Model Law (and its state-by-state iderations) which will apply to the insurance industry.  But we don’t have a single regulation that would universally apply. A polestar that all businesses can follow.  And until we do, we (the data subjects) and organizations are stuck with a sense of confusion and dissociation.  Having one regulation, “one ring to rule them all” if you will, will allow businesses to spend less money on cyber programs and allow consumers to have confidence that each business, service, etc., that they use are all playing on the same ballfield by the same rules.

So, congratulations.  The Model Law is a great thing. And South Carolina, Ohio and Minnesota legislators are taking the necessary steps in the absence of an overarching federal regulation. But, while a step in the right direction, this journey is far from over. If you are a business, you need to understand the cacophony of regulations and how they apply to your business. The trick here is to understand your data; what it is, where it comes from, what you do with it, and when you can get rid of it. Having that level of understanding is really a step forward.  The last thing you want to be doing if figuring it out when you are under investigation by a regulatory authority or are responding to a breach.  And remember, when dealing with differning and confusing regulatory frameworks, luck favors the prepared.


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.