Adopted in the fourth quarter of 2017, the National Association of Insurance Commissioners (NAIC) Data Security Model Law (Model Law)1 requires insurers and other entities licensed by state insurance departments to develop, implement, and maintain an information security program; investigate any cybersecurity events; and notify the state insurance commissioner of such events.
States are working to introduce and pass this legislation now, and it is our understanding that the US Treasury Department will mandate the Model Law, if the States don’t adopt it within five years.
Thales provides many of the solutions you need to comply with the Insurance Data Security Model Law’s requirements.
According to Section 2 of the act:
The purpose and intent of this Act is to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees, as defined in Section 3.
Section 3 defines “Licensee” as follows:
“Licensee” means any Person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State ...
Section 3 also notes:
“Cybersecurity Event” means an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.
The term “Cybersecurity Event” does not include the unauthorized acquisition of Encrypted Nonpublic Information if the encryption, process or key is not also acquired, released or used without authorization.
We excerpt below specific Sections of The Model Law with which Thales can help your organization comply:
Section 4. Information Security Program
D. Risk Management
Based on its Risk Assessment, the Licensee shall:
(2) Determine which security measures listed below are appropriate and implement such security measures.
(a) Place access controls on Information Systems, including controls to authenticate and permit access only to Authorized Individuals to protect against the unauthorized acquisition of Nonpublic Information;
(d) Protect by encryption or other appropriate means, all Nonpublic Information while being transmitted over an external network and all Nonpublic Information stored on a laptop computer or other portable computing or storage device or media;
(e) Adopt secure development practices for in-house developed applications utilized by the Licensee …;
(g) Utilize effective controls, which may include Multi-Factor Authentication procedures for any individual accessing Nonpublic Information;
(i) Include audit trails within the Information Security Program designed to detect and respond to Cybersecurity Events …;
(k) Develop, implement, and maintain procedures for the secure disposal of Nonpublic Information in any format
Section 5. Investigation of Cybersecurity Event
If the Licensee learns that a Cybersecurity Event has or may have occurred the Licensee or an outside vendor and/or service provider designated to act on behalf of the Licensee, shall conduct a prompt investigation.
Thales can help you meet the many of the compliance requirements in the Model Law through the following:
Thales’ Access Management and Authentication solutions and CipherTrust Manager protect sensitive data by enforcing the appropriate access controls when users log into systems and applications that store sensitive data. By supporting a broad range of authentication methods and policy driven role-based access, our solutions help enterprises mitigate the risk of data breach due to compromised or stolen credentials or through insider credential abuse.
Thales’ CipherTrust Transparent Encryption protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment of the transparent file encryption software is simple, scalable and fast, with agents installed above the file system on servers or virtual machines to enforce data security and compliance policies. Policy and encryption key management are provided by the CipherTrust Manager.
CipherTrust Tokenization lets administrators establish policies to return an entire field tokenized or dynamically mask parts of a field. With the solution’s format-preserving tokenization capabilities, managers can restrict access to sensitive assets while formatting the protected data in a way that enables users to do their jobs.
Designed for software vendors of all sizes and for enterprises that develop their own code, the Thales Code Signing Solution enables you to implement high assurance, high-efficiency code signing processes to protect your software from tampering and bring appropriate governance to your software publishing practices.
CipherTrust Data Security Platform includes Security Intelligence Logs that generate audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the enterprise. These logs also enable investigation of cybersecurity events.
All Thales encryption and tokenization solutions rely on cryptographic keys to encrypt and decrypt data. This means you can selectively “destroy” data simply by destroying the encryption keys for that data.
Thales can work with you and your third-party service providers to ensure their security meets your own rigorous standards. In addition, Thales has specialized cybersecurity products and services for enterprises using the Cloud, SaaS and other third-party services. These include multi-cloud encryption with centralized key and access control management as well as cloud key management and protection.
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.
Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.