The model law begins with a series of definitions. They are self-explanatory, and focus on defining particular information security concerns. "Information system" is a discrete set of electronic information resources used for collecting, processing, maintaining, using, or otherwise handling data including control systems such as telephone switching and environmental control systems, such as heat and air conditioning. An "information security program" is the combination of administrative, technical, and physical safeguards used to handle nonpublic information.

 Data and instructions are often verified before action is taken place. "Multi-factor Authentication" is authentication through two of the following factors; knowledge factors such as passwords, possession factors such as token or text message on a mobile phone, or inherence factors such as biometric characteristic. A user may be required to enter a password, and then enter a code sent to the user's mobile phone as the next step in authentication. Alternatively, a user may have to use a fingerprint, and then have to enter a code texted to the mobile phone. Any combination of two of the three makes it "multi-factor authentication". It is considered safer since if a password is stolen, other information that may not have been compromised is still needed to access the system.

 "Nonpublic information" is private information that if accessed by an unauthorized person could cause a material adverse impact to the business, operations, or security of the Licensee. Information that can be used to identify a consumer can be used to create false accounts and drain the consumer of his finances. Such information is the social security number, driver's license or identification card number, account, credit or debit card number, security, access or passwords that would allow access to the consumer's financial account or biometric records. Health care information that relates to the present, past, or future physical, mental or behavioral status of an individual or his family, health care provisions for the consumer, or payment for the insured's healthcare is also nonpublic information.

 While the definition of "person" would seem to be straightforward, along with individuals it includes nongovernment entities including non-governmental partnership, corporations, branches, agencies or associations.

 The opposite of "nonpublic information" is "publicly available information", which is information a licensee would expect to be made lawfully available to the public from the federal, state, or local government, widely distributed media, or disclosures to the public that are required to be made by federal, state or local law. It can be assumed that information has been made lawfully available if the licensee has taken steps to determine that the information is available to the general public and whether or not a consumer can instruct that the information be kept private and whether or not the consumer has done so. If a consumer has the option to keep his information private but does not take the required actions to do so, then the information is considered public.

 The next section of the model law outlines what is necessary in order to develop and implement an information security program. The program should be based on the licensees' size and complexity, including activities, sensitivity of data and use of third-party service providers. The plan should be outlined in writing. The program should have specific objectives, such as protecting the security and confidentiality of private information against threats and unauthorized access, and define parameters for destruction of data no longer needed.

 The risk must be assessed so that threats are identified, likelihood and potential damage of threats is determined, employees must be trained, safeguards must be put in place, and the safeguards must be assessed annually.

 Once the program has been designed, threats identified and risk assessed, the risk must be managed. Appropriate security measures must be matched with data and systems vulnerable to attack. Identification of key personnel to access certain information, restriction of physical access, encryption, audits, and other steps are needed to implement the risk management process in order to protect the organization from cyber threats.

 The board of directors should oversee the plan if one exists, and any third-party service providers must be overseen. One of the important issues is to see that the program is maintained, and that people do not get lax overtime when it comes to any security issue. Adjustments should be made to the program over time as needed.

 Knowing that many organizations with cybersecurity in place are still hacked, organizations need to establish an incident response plan to identify what happened, what data has been exposed, who needs to be notified of a breach and what happens next.

 The model law includes a section that recommends every insurer submit to the commissioner a written statement declaring compliance with the state's cybersecurity law. The insurer should keep all records related to its cybersecurity procedures for five years. If any area is deficient and not in compliance with the state's law, those areas should be identified with plans to address such areas made available to the commissioner as well.

 Certain procedures should be put in place so that once a cybersecurity event has occurred an investigation will be done. The investigation should determine whether a cybersecurity event occurred, what was the nature and scope of the event, identify any nonpublic information that may have been involved, and perform measures to restore security as soon as possible to prevent further release of nonpublic data. If the insurer discovered that the event might have occurred in a system that is maintained by a third-party provider, the insurer will follow the steps necessary to confirm and document that the provider has completed all necessary steps. Records of the event and the response to the event will be maintained for five years.

 The commissioner will be notified within seventy-two hours from a determination of a security event when this state is the licensee's state of domicile if an insurer, or if this is the licensee's home state if a producer. Or, if the licensee reasonably believes that more than 250 consumers' nonpublic information is involved in the breach and that either the event impacts the licensee to where notice is required or the event has the likelihood of materially harming consumers living in the state or any material part of the normal operations of the licensee.

 The commissioner must receive as much information as possible including:

·date of the event,

·description of how the information was breached and responsibility of third-party service providers, if any,

·how the event was discovered,

·if any lost information has been recovered and if so how,

·the identity of the source of the event,

·if licensee has filed police or government report and when,

·types of information accessed without authorization,

·time during which the information was compromised,

·number of consumers affected,

·results of internal reviews identifying any lapse in controls or internal procedures, and confirming that controls and procedures were followed,

·description of remediation efforts,

·copy of privacy policy and outline of steps to notify consumers affected,

·name of contact person familiar with the event and authorized to act for licensee.

Notifications to the consumers will comply with the state's data breach notification law, and a copy of the consumer notice will be sent to the commissioner when required by statute.

 If the licensee is aware of a cybersecurity event in a system maintained by a third-party service provider, the licensee will notify the commissioner within seventy-two hours if the event happens in the licensee's state of domicile or home state, or the licensee believes that nonpublic information of 250 or more consumers living in the state has been impacted. The event must be one where notice is required to be provided to any government body, or have a likelihood of harming a consumer in the state or part of the licensee's normal operations.

 Reinsurers face the same risks ceding insurers do. If a reinsurer does not have a relationship with the consumers whose data has been breached, the reinsurer must notify the ceding insurer and the commissioner within seventy-two hours. The ceding insurer will then fulfill the consumer notification requirements under the state's cyber breach laws and any other notification requirements. If the event involves nonpublic information that is in the possession, custody or control of a third-party service provider of a reinsurer, once the reinsurer has received notice of the event the reinsurer will notify its affected ceding insurers and the commissioner within seventy-two hours that an event has occurred. Again, the ceding insurers will notify consumers and fulfill the notification requirements.

 When a carrier or its service provider is aware of a security event affecting consumers' nonpublic information, the insurer, as directed by the commissioner shall notify producers as soon as possible. If the insurer does not have the current producer of record information, the insurer is excused from this obligation.

 Aside from the powers granted to the commissioner by state statutes, the commissioner may examine and investigate the affairs of any licensee to determine if the licensee has been or is engaged in conduct that violates the model act. If the commissioner believes that a licensee has engaged in such conduct that violates the model act, the commissioner may take necessary action to enforce the provisions of the act.

 Documents, materials and records in the control or possession of the department furnished by a licensee or obtained by the commissioner in an investigation of a security event will be confidential by law and will not be subject to subpoenas, subject to discovery or admissible in evidence in any private action. This protects the consumer data, even when a breach may be under investigation. However, the commissioner has the authority to use the documents and materials in the furtherance of regulatory or legal action brought as part of his duties. No one who receives documents while acting under the commissioner's authority will be permitted or required to testify in any private civil action regarding such confidential documents.

 The commissioner may share documents and other information with other state and federal regulatory agencies, with the NAIC and law enforcement as long as the recipient agrees in writing to maintain confidentiality and privileged status of the documents. Before information is shared with other agencies, those agencies must agree in writing to maintain the same level of confidentiality. Likewise, information from such agencies may be received by the commissioner and will be maintained as confidential and privileged information, and may enter into agreements regarding sharing and use of said information.

 This confidentiality may not be waived, and the commissioner may release final, adjudicated actions that are open to public inspection pursuant to any appropriate state laws to a database or other clearinghouse service maintained by the NAIC. Confidentiality is always to be maintained throughout the investigation of any breach.

 Some exceptions apply to the act. Licensees with fewer than ten employees are exempt from developing an information security program. Any licensee subject to the Health Insurance Portability and Accountability Act that has and maintains an information security program as part of that act will be considered as meeting the requirements of having an information security system. Employees, agents, representatives or designees of a licensee who are also licensees are exempt from having to develop their own information security program as long as the program of the other licensee covers them. Mabel has a large insurance agency with several employees. Because Mabel has such a large operation, she has implemented an information security program with policies and procedures. Therefore, Doug, who works for Mabel, does not have to create his own system as he is covered under Mabel's.

 Any licensee that no longer qualifies for an exception will have 180 days to comply with the act. Violations of the act will be penalized as outlined in the appropriate statute. The commissioner will issue regulations in order to carry out the provisions of this act.

 Beyond this, the model act has provisions allowing the commissioner to issue regulations as needed to carry out the act, that provisions applicable to any person are severable from other persons, and that an effective date is established for the act.