{"id":13227,"date":"2023-01-12T21:44:00","date_gmt":"2023-01-13T02:44:00","guid":{"rendered":"https:\/\/www.resourcepro.com\/data-security-the-naic-model-laws\/"},"modified":"2024-07-24T11:25:11","modified_gmt":"2024-07-24T15:25:11","slug":"data-security-the-naic-model-laws","status":"publish","type":"post","link":"https:\/\/www.resourcepro.com\/blog\/data-security-the-naic-model-laws\/","title":{"rendered":"Data Security: The NAIC Model Laws"},"content":{"rendered":"\r\n<p><em>Elaine is a Senior Specialist at ReSource Pro Compliance<\/em><\/p>\r\n\r\n\r\n\r\n<p>On January 1, 2023, Iowa and Vermont became the latest states to begin enforcing their versions of the NAIC\u2019s\u00a0<a href=\"https:\/\/content.naic.org\/sites\/default\/files\/inline-files\/MDL-668.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Insurance Data Security Model Law (MDL-668)<\/a>. Maryland rolls out its initial requirements in October 2023. These jurisdictions join the 18 other states that have implemented (or are in the process of implementing) such regulations.<\/p>\r\n\r\n\r\n\r\n<p>While high-profile hacks and a general rise in cybercrime levels continue to call attention to the need for robust data security programs, it\u2019s important to understand that MDL-668 isn\u2019t the only model law intended to improve data security for the insurance industry.<\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\" id=\"h-insurance-information-and-privacy-protection-model-act-mdl-670\"><strong>Insurance Information and Privacy Protection Model Act (MDL-670)<\/strong><\/h2>\r\n\r\n\r\n\r\n<p>First approved in October 1992, this\u00a0<a href=\"https:\/\/content.naic.org\/sites\/default\/files\/inline-files\/MDL-670.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">model law<\/a>\u00a0establishes standards for the collection, use, and disclosure of information gathered in connection with insurance transactions. The goal of the law is to minimize the intrusive nature of the data collection process. It also allows individuals greater control over data pertaining to them.<\/p>\r\n\r\n\r\n\r\n<p>Key provisions of the model law include limitations and conditions for the use of:<\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Pretext interviews,<\/li>\r\n\r\n\r\n\r\n<li>Marketing and research surveys,<\/li>\r\n\r\n\r\n\r\n<li>Investigative consumer reports, and<\/li>\r\n\r\n\r\n\r\n<li>Previous adverse underwriting decisions.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Generally, these guidelines ensure that applicants or policyholders understand\u00a0<em>who<\/em>\u00a0is collecting information about them and whether or\u00a0<em>how<\/em>\u00a0that information may influence underwriting decisions.<\/p>\r\n\r\n\r\n\r\n<p>The law also outlines standards and procedures for:<\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Notifying applicants\/policyholders regarding insurance information practices,<\/li>\r\n\r\n\r\n\r\n<li>Authorizing the disclosure of information,<\/li>\r\n\r\n\r\n\r\n<li>Disclosing personal information,<\/li>\r\n\r\n\r\n\r\n<li>Accessing personal information held by insurers\/producers,<\/li>\r\n\r\n\r\n\r\n<li>Correcting, amending, and\/or deleting such information, and<\/li>\r\n\r\n\r\n\r\n<li>Explaining\/documenting adverse underwriting decisions.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>While these procedures vary in detail, they include several common features such as requiring timely, written communication; placing time limits on the use of information; and documentation of the sourcing of information. Under these protections, insureds play an active role in verifying the integrity of the information used to make underwriting decisions concerning them. The NAIC\u2019s Privacy Protections (H) Working Group is currently working to\u00a0<a href=\"https:\/\/content.naic.org\/sites\/default\/files\/inline-files\/MLR_670and672-Request.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">revise this model law<\/a>. This is in response to the exponential increase in the amount of information being collected. It plans to complete the revision process by the\u00a0<a href=\"https:\/\/content.naic.org\/events\" target=\"_blank\" rel=\"noreferrer noopener\">2023 Summer National Meeting<\/a>.<\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>Privacy of Consumer Financial and Health Information Regulation (MDL-672)<\/strong><\/h2>\r\n\r\n\r\n\r\n<p>This 2017\u00a0<a href=\"https:\/\/content.naic.org\/sites\/default\/files\/MO672.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">model law<\/a>\u00a0specifically addresses the standards and procedures for the collection and use of nonpublic personal health and financial information in making underwriting and claims decisions.<\/p>\r\n\r\n\r\n\r\n<p>The law mandates the following communications to consumers:<\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Initial privacy notices<\/li>\r\n\r\n\r\n\r\n<li>Annual privacy notices<\/li>\r\n\r\n\r\n\r\n<li>Opt-out notices<\/li>\r\n\r\n\r\n\r\n<li>Authorizations to disclose nonpublic information<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>MDL-672 provides details requirements for the content and form of these communications. It also addresses the method of their delivery. Oral communication, either in person or by telephone, is NOT sufficient. Appendix A offers sample language, while Appendix B offers the Federal Model Privacy Form as a template. Insurance organizations do not have to use this template, however, if their chosen privacy form meets the criteria set out in Section 7.<\/p>\r\n\r\n\r\n\r\n<p>The model law also imposes limits on the disclosure of nonpublic financial information, on the redisclosure or reuse of such information, and on sharing account numbers for marketing purposes. It also sets out a \u201creasonability\u201d standard for opt-out procedures and lists various exceptions to the opt-out requirements.<\/p>\r\n\r\n\r\n\r\n<p>Lastly, NAIC explains how its model law relates to other state laws governing data security and consumer privacy and to federal laws such as the\u00a0<a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/privacy\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">Health Insurance Portability and Accountability Act (HIPAA)<\/a>\u00a0and the\u00a0<a href=\"https:\/\/www.ftc.gov\/legal-library\/browse\/statutes\/fair-credit-reporting-act\" target=\"_blank\" rel=\"noreferrer noopener\">Fair Credit Reporting Act (FCRA)<\/a>.<\/p>\r\n\r\n\r\n\r\n<p>Like MDL-670, the Privacy of Consumer Financial and Health Information Regulation is currently under review by the Privacy Protections (H) Working Group.<\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>Updates to the Insurance Data Security Model Law<\/strong><\/h2>\r\n\r\n\r\n\r\n<p>While MDL-668 is not currently under review, it\u2019s worth noting that the New York DFS\u00a0<a href=\"https:\/\/www.dfs.ny.gov\/reports_and_publications\/press_releases\/pr20221109221\" target=\"_blank\" rel=\"noreferrer noopener\">recently proposed<\/a>\u00a0significant amendments to its landmark cybersecurity regulation, 23 NYCRR 500. This law profoundly influenced the scope and language of the NAIC\u2019s model law. The\u00a0<a href=\"https:\/\/www.dfs.ny.gov\/system\/files\/documents\/2022\/10\/rp23a2_text_20221109_0.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">proposed amendment<\/a>\u00a0creates \u201ctiers\u201d of licensed entities to better reflect the challenges smaller businesses face in complying with the law. It also enhances governance requirements; requires additional security controls; and heightens the standards for risk and vulnerability assessments, incident response and recovery planning, and employee training. It remains to be seen whether the state legislature will adopt the amendment; and if so, what influence this change might have on the model law or the versions of it\u00a0adopted by 21 states.<\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<p>For more information on data security laws and other regulatory changes impacting the insurance industry, visit our\u00a0<a href=\"https:\/\/www.ilsainc.com\/newsroom\/\" target=\"_blank\" rel=\"noreferrer noopener\">Newsroom<\/a>. And for help developing and implementing a comprehensive compliance strategy,\u00a0<a href=\"https:\/\/www.resourcepro.com\/services\/compliance\/?utm_source=blog&amp;utm_medium=cta&amp;utm_campaign=data-security-compliance&amp;utm_term=agency&amp;utm_content=visit-compliance-page\" target=\"_blank\" rel=\"noreferrer noopener\">visit our compliance page<\/a>.<\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>More and more states are beginning to enforce their versions of the NAIC\u2019s\u00a0Insurance Data Security Model Law. While high-profile hacks and a general rise in cybercrime levels continue to call attention to the need for robust data security programs, it\u2019s important to understand that MDL-668 isn\u2019t the only model law intended to improve data security for the insurance industry.<\/p>\n","protected":false},"author":64,"featured_media":13228,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"news-category":[],"insurance-segment":[],"services":[],"type-of-content":[38],"resource-type":[67],"class_list":["post-13227","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","type-of-content-blogs","resource-type-blog"],"acf":[],"publishpress_future_action":{"enabled":false,"date":"2026-04-19 10:44:38","action":"change-status","newStatus":"draft","terms":[],"taxonomy":"category","extraData":[]},"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/posts\/13227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/users\/64"}],"replies":[{"embeddable":true,"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/comments?post=13227"}],"version-history":[{"count":3,"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/posts\/13227\/revisions"}],"predecessor-version":[{"id":15588,"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/posts\/13227\/revisions\/15588"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/media\/13228"}],"wp:attachment":[{"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/media?parent=13227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/categories?post=13227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/tags?post=13227"},{"taxonomy":"news-category","embeddable":true,"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/news-category?post=13227"},{"taxonomy":"insurance-segment","embeddable":true,"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/insurance-segment?post=13227"},{"taxonomy":"services","embeddable":true,"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/services?post=13227"},{"taxonomy":"type-of-content","embeddable":true,"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/type-of-content?post=13227"},{"taxonomy":"resource-type","embeddable":true,"href":"https:\/\/www.resourcepro.com\/wp-json\/wp\/v2\/resource-type?post=13227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}