NAIC Insurance Data Security Model Law Update: Vermont Becomes 21st State | Locke Lord LLP


Vermont Governor Scott has signed the Vermont Insurance Data Security Act (available here) (the “VIDSL”), becoming the 21st state to pass cybersecurity legislation based on the Model Law on National Association of Insurance Commissioners Insurance Data Security (NAIC Model 668). Importantly for many licensees, the new Vermont law, which goes into effect January 1, 2023 (with some delayed compliance dates) codifies an Editors’ Note to NAIC Model 668 (which has not been adopted in all state implementations) indicating that compliance with the New York Department of Financial Services cybersecurity regulations, with written certification of such compliance, is deemed to meet the requirements of VIDSL.

There are some differences between VIDSL and NAIC Model 668, the most significant of which is Vermont’s lack of a requirement to report certain cybersecurity events to the Commissioner. Instead, the VIDSL specifically provides that it “shall not be construed to alter any aspect of the Security Breach Notification Act, 9 VSA § 2435”, which requires entities regulated by the Department of financial regulators to notify certain cybersecurity events to the Department. , but without the 72-hour delay of the NAIC 668 model.

For those following, NAIC Model 668 has been adopted in the following 21 states as of June 21, 2022: AL, AK, CT, DE, HI, IA, KY, LA, ME, MD, MI, MN, MS, NH, ND, OH, SC, TN, VT, VA and WI.


Comments are closed.