Two additional states recently adopted versions of the NAIC Data Security Model Law. On April 30, 2021, Iowa governor Kim Reynolds signed HF 719, and on May 6, 2021, Tennessee governor Bill Lee signed HB 0766. Both statutes require licensees to develop, implement, and maintain an information security program to protect nonpublic information.
Effective in 2022, the statutes require that each year insurers domiciled in the state submit to the Commissioner a written certification of compliance with the statute. If there is a cybersecurity event, the licensee must conduct a prompt investigation, including notifying the commissioner as soon as possible. Furthermore, affected consumers or those consumers reasonably believed to have been affected must also be notified.
Furthermore, Louisiana, having passed a similar law in June 2020, issued Bulletin 2021-04 reminding licensees that they are required to have designed and implemented a compliant information security program by August 1, 2021.
For more information on HF 719, HB 0766, La. R.S. 22:2501, or any other questions regarding licensee’s cybersecurity reporting responsibilities, please contact Westmont Associates, Inc.