The National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (MDL-668) was finalized in October 2017 and subsequently passed in South Carolina, Ohio, Michigan, Mississippi, Alabama, Delaware, and New Hampshire. Moreover, the NAIC model borrowed heavily from the New York Department of Financial Services Cybersecurity Regulation (23 N.Y.C.R.R. Part 500). The NAIC's 2017 passage of its model law set the stage for several state legislatures to include it on their legislative calendars beginning in 2018 and continuing today.

Most recently, Delaware and New Hampshire passed versions of the law; Delaware Governor John Carney (D) signed its iteration into law on July 31, and New Hampshire Governor Chris Sununu (R) signed its version on August 2. Below are some of the highlights of the Delaware law.

Like most of the earlier versions, the Delaware version of the law was based on the NAIC model and the South Carolina Insurance Data Security Act. Delaware's law applies to all "licensees," which are defined as people who are or should be licensed pursuant to the insurance laws of Delaware. Under the Delaware law, licensees are required to develop and put in place an information security program within one year from the date of passage of the law, and licensees are required to report some types of cybersecurity events to the Delaware insurance commissioner.

The Delaware law also allows the insurance commissioner to impose administrative (financial) penalties against licensees found to be violating this law. Like the others, it also requires that licensees develop, implement, and maintain a written information security policy (WISP), and it provides the insurance commissioner with the authority to investigate the activities of licensees to ensure compliance with the new law.

Like most similar laws, the Delaware version provides for phased-in implementation over the course of one or two years, depending on the provision. Also like the other states’ versions, there are exemptions for certain categories of possible licensees. In Delaware, exemptions from some parts of the law are available to licensees with fewer than 15 employees or those that can certify to the Delaware Department of Insurance their compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

This post is part of a series on the adoption of the NAIC Insurance Data Security Model Law (MDL-668) in states across the country. To find posts on other states’ versions of MDL 668, click on "data security" under "Tags" on the right-hand side of the page.