In the United States, a significant legislative trend is on the horizon for insurers in 2020: a new breed of state privacy and cybersecurity laws.  In the absence of federal intervention, a growing number of state legislatures are enacting laws and regulations modeling California’s Consumer Privacy Act for all businesses, and, in parallel, prescribing privacy and cybersecurity requirements directed at insurers.  To help insurers stay ahead of the curve, we summarize below several cybersecurity measures set to go into effect later this year.

The trend began with New York.  The New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies (Part 500) was enacted in 2017, and took full effect on March 1, 2019.  Initially, it stood as the first cybersecurity regulation broadly directed at financial services companies, including insurers.  

Shortly thereafter, however, and in anticipation of further legislative activity in this area, the National Association of Insurance Commissioners (NAIC) (the industry’s state-based standard-setting organization) collaboratively proposed a “Data Security Model Law” to help harmonize cybersecurity requirements for insurers.  Eight states thus far have since adopted a version of the NAIC’s Model Security Law.

Elements of a Model Security Law

Although differences exist, each state version of NAIC’s Model Security Law requires insurers to do the following: 

  1. Conduct a risk assessment and implement and maintain a cybersecurity program that is based on identified risks;
  2. Develop, implement, and maintain incident response plan;
  3. Provide oversight of third-party service providers;
  4. Investigate and report data security incidents; and
  5. Certify compliance with the respective law/model regulation.

Primary differences among the laws and the Model Security Law relate to the definitions of cybersecurity events and notifications, the scope of certain exemptions, and certain prescriptive requirements outlined in New York’s Cybersecurity Regulation.

Regulatory Transition Period

The NAIC’s Model Security Law generally allows for two transition periods so insurers have time to implement the new administrative, technical, and physical regulatory requirements.  The first transition period covers the actual security program requirements, and the second transition period covers requirements to ensure third party safeguards.  South Carolina was the first state to adopt the Model Security Law with its first transition period ending on July 1, 2019, and the requirements related to third party safeguards scheduled to take effect on July 1, 2020.  

Model Security Law Deadlines

Below is the full set of deadlines (in deadline order) for both the security program and third-party safeguards in each of the states that have adopted a version of the NAIC’s Model Security Law.

# Phase 1 “Security” Deadline Phase 2 “Third Party” Deadline State Comments
1 July 1, 2019 July 1, 2020 South Carolina July 1, 2019 is deadline for implementing a comprehensive, written information security program.  February 15, 2020 is deadline for each insurer domiciled in South Carolina to annually submit a written statement certifying compliance.  By July 1, 2020, insurers must have implemented requirements for third-party service providers.
2 March 30, 2020 March 20, 2021 Ohio  
3 April 25, 2020 April 25, 2021 Alabama  
4 July 1, 2020 July 1, 2021 Mississippi  
5 July 31, 2020 July 31, 2021 Delaware  
6 October 1, 2020 October 1, 2021 Connecticut  
7 January 1, 2021 January 1, 2022 New Hampshire  
8 January 20, 2022 January 20, 2023 Michigan  

Further Information

We can expect to see additional states enacting Model Security Laws in 2020.  In fact, on January 29, 2020, Assembly Bill 819, which follows the Model Security Law, was introduced in the Wisconsin State Assembly.  Insurers should also expect states to introduce other legislation targeted at data security as state legislatures go in session for this year.  To learn more about these regulatory trends impacting insurers, visit the NAIC’s website at

If you have any questions about how these requirements apply to you or any other privacy law, please do not hesitate to reach out to authors Brian Hengesbaugh and Harry Valetk .

Related Posts

Are You Ready for SHIELD? – New York’s new data protections for consumers


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.


Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.

Write A Comment