Cocoon Data logo

NAIC Model Law: What Your Insurance Firm Should Know About Data Security

Blog Hero

Insurance organizations are subject to a dizzying array of compliance standards. If you’re working at a health insurance company, you’re already familiar with the requirements of the Health Insurance Portability and Accountability Act (HIPAA). If you’re in the U.S., you must deal regularly with your state insurance commissioner. If you have a great deal of health data, you must satisfy the requirements of the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR). And if you also offer life insurance or other financial service products, your organization will be subject to the Gramm-Leach-Bliley Act (GLBA).

That’s enough to keep any insurance firm busy. But it doesn’t end there.

In October 2017, the National Association of Insurance Commissioners (NAIC) responded to the need for greater information security in the industry by releasing an Insurance Data Security Model Law (we’ll call it the NAIC Model Law - though it’s actually the most recent of 24 related laws). This regulation was based on rules that were already in place in the state of New York. Five years later, many states across the country have adopted this recommended law and require insurance companies to follow its standards and best practices.

The NAIC Model Law adds to your list of compliance-related responsibilities. Let’s explore what that could mean for your organization’s information security programs.

What Does the NAIC Model Law Require?

The NAIC Model Law requires each insurance company to “develop, implement, and maintain a comprehensive written Information Security Program.” The sophistication of this program should be in line with the size and resources of the insurance company, the nature of its activities, and the sensitivity of its information.

Your security program should:

  • Protect the security and confidentiality of nonpublic information.
  • Protect the security of your information system.
  • Prevent unauthorized access to your nonpublic information and minimize the chances of harm to consumers.
  • Set a schedule for retention of nonpublic information.
  • Designate a means of destroying nonpublic information when it is no longer needed.

You’ll also need to designate one or more employees (or an outside vendor) to be responsible for your security program. Your program shouldn’t be a “set it and forget it” initiative—the NAIC Model Law requires you to identify your biggest internal and external data threats, assess their likelihood and potential damage, and implement reasonable safeguards against them. And you’ll have to report regularly to compliance officers on your progress and performance.

Supporting NAIC Model Law Compliance with Technology

The specifics of the NAIC Model Law probably sound a lot like those of other data privacy regulations. But complying with this and other regulations isn’t always easy for insurance companies. Why not?

Unlike other industries, where service providers have long used mobile apps and websites to exchange information with their customers, the insurance industry is still establishing itself in the digital space. Insurance companies aren’t used to developing interactive websites and mobile apps—but consumers are demanding it.

Adding to the push towards digital, the insurance industry has been more lenient than others in the post-COVID back-to-the-office movement. Many employees across the insurance industry continue to work from home and will likely do so for the foreseeable future. And remote work opens companies up to a host of potential new cyberattacks. Consider how much merger and acquisition information, call center data, and executive communication your insurance firm exchanges with third parties each day.

What’s an insurance company to do in this environment? Many firms use commercial file sharing solutions to exchange information with parties outside their network. But these solutions are only as secure as the passwords employees use. A far more consistent and secure approach to NAIC Model Law compliance is to use an encrypted file sharing platform that’s designed to meet regulated document requirements for insurance, government, defense, healthcare, education, and many other businesses that need to share and collaborate on files.

That’s what Cocoon Data delivers and why we are trusted by customers globally to help share data compliantly. Try our no-obligation demo and get your questions answered. Contact us today.


Sep 19, 2022

Posted by


Copy Link