Cybersecurity and consumer data privacy remain a top priority for the insurance industry, so it’s time for the third annual update of our guide to cyber compliance resources. With the October 2022 federal “deadline” for the adoption of MDL-668 rapidly approaching, additional states continue to pass versions of this legislation. Kentucky recently became the 21st state to adopt the model law.
Several new states also passed comprehensive consumer data legislation. These laws take their lead from 2020’s California Consumer Privacy Act (CCPA), which was itself inspired by the European Union’s General Data Protection Regulation (GDPR).
Remember, however, that these laws and regulations may not be the only ones applicable to your insurance business in each jurisdiction. The charts below provide key implementation dates as well as links to the texts of the laws/regulations. Where available, there are also links to the state-specific cybersecurity compliance resources.
NAIC Insurance Data Security Model Law
Data security (or cybersecurity) legislation focuses on the hardware and software used to store and manipulate data, and on the procedures for using such systems. To date, eight states have fully implemented their own versions of MDL-668. This count does not include New York. Its cybersecurity law, which became fully effective in March 2019, pre-dates the NAIC model law. While 23 NYCRR Part 500 heavily inspired MDL-668, it differs from it on a number of key points — most notably its certification of compliance requirements.
The table includes:
- Enacted and effective dates for the legislation (with a link to the text)
- Dates for implementing cyber event reporting and risk assessment, the information security program, and oversight of third-party vendors
- The annual deadline for certification of compliance (for domiciled carriers only, unless otherwise specified)
- Links to the state insurance departments’ cybersecurity resource centers
For more information on what steps licensees need to take during each implementation phase, please refer to our 2021 Cybersecurity Resources Update.
Hawaii, Minnesota, North Dakota, Tennesee, and Virginia will all implement key aspects of their laws before the end of this year.
Comprehensive Consumer Data Privacy Legislation
Data privacy laws address the rights of the individuals or companies that generate data to know who collects their information and how it is used. Currently, five states have legislation on the books, although only California has fully implemented its law. The remaining laws do not take effect until 2023. In 2020, California voters approved the California Privacy Rights Act (CPRA), which significantly expands certain provisions of the CCPA. CPRA also takes effect in January 2023.
|STATE||ENACTED||EFFECTIVE||LINK TO TEXT|
|CA||6/28/2018||1/1/2020||California Consumer Privacy Act (CCPA)|
|CA||11/3/2020||1/1/2023||California Privacy Rights Act (CPRA)|
|CT||5/10/2022||7/1/2023||Public Act No. 22-15 (SB 6)|
|CO||7/8/2021||7/1/2023||Colorado Privacy Act (CPA)|
|VA||3/2/2021||1/1/2023||Virginia Consumer Data Protection Act (VCDPA)|
|UT||3/24/2022||12/31/2023||Utah Consumer Privacy Act (UCPA)|
As of June 9, 2022, six additional states have data privacy bills in committee. Twenty-one other jurisdictions have bills listed as “inactive.”
For more information on data security and data privacy regulations for the insurance industry, follow the ILSA Newsroom for the latest state bulletins and press releases.
And if you need help meeting your cybersecurity needs, ILSA collaborates with Renaissance Systems, Inc. (RSI) to offer best-in-class automated cyber risk management tools and professional services.