ALTA Helps Pressure NAIC to Open Dialogue About State Model Cyber Law

April 21, 2016

Responding to feedback and pressure from ALTA and state regulators, the commissioner of the National Association of Insurance Commissioners has agreed to hold an extended in-person discussion to address concerns about the NAIC’s proposed state model cybersecurity law.

In March, ALTA submitted a letter to the NAIC’s Cybersecurity Task Force outlining concerns with the group's draft Insurance Data Security Model Law. ALTA encouraged the NAIC to work with state attorneys general and consider whether states will pass two different data security laws: one for insurance and a separate one for all other businesses. ALTA suggested that the NAIC host an open conversation about data security that facilitates consensus about our shared goals and pain points. Finally, ALTA expressed concern that the proposal does not adequately take scalability into account. ALTA believes that an insurance-specific data security law could conflict with other state and federal data security laws, making it impossible for title and settlement agents to comply with all their legal and contractual obligations.

“We are concerned that the Preliminary Working and Discussion Draft would not establish a single standard for consumer protection, which is likely to create confusion and conflict among various regulators, state attorneys general, courts, industry and consumers,” Justin Ailes, ALTA’s vice president of government and regulatory affairs, wrote in the letter. “As currently written, the Preliminary Working and Discussion Draft appears to take the most severe penalties, add an extensive additional regulatory burden and private rights of action under state regulation. No state today approaches data security in this manner.”

ALTA’s letter includes a section-by-section review of the Insurance Data Security Model Law draft.

As it continues to consider a standard for data security and investigation and notification of a breach of data security, ALTA encourages the NAIC to consult existing state and federal requirements that licensees are already required to follow.

“It may also be prudent for the NAIC to engage with and solicit comment about the Preliminary Working and Discussion Draft from state and federal regulators including state Attorneys General, the Federal Trade Commission (FTC), and Consumer Financial Protection Bureau (CFPB),” according to Ailes.

Interestingly, a new report from SecurityScorecard shows that U.S. federal, state and local government agencies rank in last place in cybersecurity when compared against 17 major private industries, including financial services, retail and health care.

The analysis measured the relative security health of government and industries across 10 categories, including vulnerability to malware infections, exposure rates of passwords and susceptibility to social engineering, such as an employee using corporate account information on a public social network.

ALTA, through its Liaison Committee with the NAIC, will continue to work with the task force to improve the draft model act. If you have any questions, email Ailes at

Contact ALTA at 202-296-3671 or