NAIC-inspired cybersecurity model law adopted in Maine
A requirement of the law is a written information security program aligned with the size and complexity of a business.
A version of the model data security law developed by The National Association of Insurance Commissioners (NAIC) has been adopted in Maine following the passage of the Maine Insurance Data Security Act.
The law depicts standards for insurers licensed in the state, requiring them to develop, implement, and maintain a written information security program that aligns with the size and complexity of their business based on a risk assessment. The risk assessments are required to be conducted annually to assess the effectiveness of cybersecurity controls, information systems and other safeguards to manage threats.
When a cybersecurity event does occur, insurers, or outside vendors acting on behalf of insurers, are required to conduct a prompt investigation and notify the superintendent no later than three business days after the event is discovered. The insurer must provide a copy of the notice to the consumers.
The Maine Insurance Data Security Act takes effect on January 1, 2022.
Established in 2017, the NAIC adopted its insurance data security guidelines to put in place data security standards for regulators and insurers to mitigate damage from a data breach.
Several states have adopted versions of the model law, including Alabama, Connecticut, Delaware, Indiana, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina, and Virginia.
Related: