Thales banner

Data Security Compliance with the NAIC Data Security Law

How Thales solutions help with NAIC Data Security Law Compliance

The NAIC Data Security Law

Americas

The National Association of Insurance Commissioners (NAIC) Data Security Law (Model Law) requires insurers and other entities licensed by state insurance departments to develop, implement, and maintain an information security programme; investigate any cybersecurity events; and notify the state insurance commissioner of such events. The NAIC model law provides a blueprint for state-level laws regulating insurance companies. The main recommendations of the law include:

  • Develop a written information security programme
  • Assign information security responsibility
  • Perform periodic risk assessments
  • Implement key cyber security safeguards
  • Prepare incident response plans and procedures
  • Regularly monitor and report on programme status
  • Implement Service Provider oversight
  • Provide Board-level oversight

Which companies are subject to NAIC Data Security Law?

The law applies to licensees of each state insurance bureau. This includes (with some exceptions) insurance industry companies, agencies, agents, public adjusters, and brokers.

When did the NAIC Data Security Law come into effect?

The National Association of Insurance Commissioners officially adopted the Data Security Law in the fourth quarter of 2017. As of May 2023, 22 states have enacted versions of the law: Alabama, Alaska, Connecticut, Delaware, Hawaii, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee, Vermont, Virginia, and Wisconsin.

What are the penalties for NAIC Data Security Law non-compliance?

The suggested penalties for non-compliance with the NAIC Data Security Law are up to $500 per violation (subject to a maximum of $10,000). If the insurer/producer violates the commissioner’s cease and desist order, suggested penalties are up to $10,000 per violation (subject to a maximum of $50,000). Individuals at those institutions can be fined up to $10,000 for each violation and may also be sentenced to up to five years in prison.

How Thales can help with NAIC Data Security Law compliance

Thales helps organizations comply with the NAIC Data Security Law by addressing essential requirements for risk management in an organisation’s NAIC-mandated Information Security Programme.

NAIC Data Security Law Section 4. Information Security Programme

Licensee shall develop, implement, and maintain an Information Security Programme that contains administrative, technical, and physical safeguards for the protection of Nonpublic Information and the Licensee’s Information System.

Thales helps organisations by:

  • Reducing third party risk
  • Controlling access to sensitive data and information systems
  • Identifying and managing sensitive data
  • Encrypting data at rest and in motion
  • Securing the development of apps
  • Implementing multi-factor authentication
  • Monitoring and auditing activity
  • Securing the disposal of non-public information

NAIC Requirement:

Part D. 1:

"Design its Information Security Programme to mitigate the identified risks ... including its use of Third-Party Service Providers"

Thales Solutions:

CipherTrust Cloud Key Manager can reduce third party risks by maintaining on-premises under the full control of the financial institution the keys that protect sensitive data hosted by third party cloud providers under “bring your own keys” (BYOK) systems.

CipherTrust Transparent Encryption provides complete separation of administrative roles where only authorised users and processes can view unencrypted data. Unless a valid reason to access the data is provided, sensitive data stored in a third-party cloud will not be accessible in cleartext to unauthorised users.

Thales Data Security solutions offer the most comprehensive range of data protection, such as Thales Data Protection on Demand (DPoD) that provides built in high availability and backup to its cloud-based Luna Cloud HSM and CipherTrust Key Management services, to the HSE network encryption appliances that provides options to zeroise.

Part D. 2, k:

“Place access controls on Information Systems, … protect against unauthorised acquisition of Nonpublic Information;”

Thales OneWelcome identity & access management solutions limit the access of internal and external users based on their roles and context. Backed by strong authentication (MFA), granular access policies and fine-grained authorisation policies help ensuring that the right user is granted access to the right resource at the right time; whereby minimising the risk of unauthorised access.

Thales OneWelcome Consent & Preference Management module enables organisations to gather consent of end consumers such that financial institutions may have clear visibility of consented data, thereby allowing them to manage access to data that they are allowed to utilise.

CipherTrust Transparent Encryption encrypts sensitive data and enforces granular privileged-user-access management policies that can be applied by user, process, file type, time of day, and other parameters. It provides complete separation of roles where only authorised users and processes can view unencrypted data.

Part D. 2, b:

“Identify and manage the data … that enable the organisation to achieve business purposes ...”

CipherTrust Data Discovery and Classification identifies structured and unstructured sensitive data on-premises and in the cloud. Built-in templates enable rapid identification of regulated data, highlight cybersecurity risks, and help uncover compliance gaps.

Part D. 2, d:

“Protect by encryption or other appropriate means, all Nonpublic Information while being transmitted over an external network and all Nonpublic Information stored on a laptop computer or other portable computing or storage device or media;”

Protect Data at Rest:

CipherTrust Data Security Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases. Among them:

  • CipherTrust Transparent Encryption delivers data-at-rest encryption with centralised key management and privileged user access control. This protects data wherever it resides, on-premises, across multiple clouds, and within big data and container environments.
  • CipherTrust Tokenisation permits the pseudonymisation of sensitive information in databases while maintaining the ability to analyse aggregate
  • CipherTrust Enterprise Key Management streamlines and strengthens key management in cloud and enterprise environments over a diverse set of use cases.

Protect keys and certificates:

Luna Hardware Security Modules (HSMs) protect cryptographic keys and provide a FIPS 140-2 Level 3 hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more. Luna HSMs are available on-premises, in the cloud as-a-service, and across hybrid environments.

Protect data in motion:

Thales High Speed Encryptors (HSE) provide network-independent, data in-motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to-site or from on-premises to the cloud and back. Our network encryption solutions allow customers to better protect data, video, voice, and metadata from eavesdropping, surveillance, and overt and covert interception— without performance compromise.

Part D. 2, e:

“Adopt secure development practices for in-house developed applications”

CipherTrust Platform Community Edition makes it easy for DevSecOps to deploy data protection controls in hybrid and multi-cloud applications. The solution includes licenses for CipherTrust Manager Community Edition, Data Protection Gateway, and CipherTrust Transparent Encryption for Kubernetes.

CipherTrust Secrets Management is a state-of-the-art secrets management solution, which protects and automates access to secrets across DevOps tools and cloud workloads including secrets, credentials, certificates, API keys, and tokens.

Part D. 2, g:

“Utilise effective controls, which may include Multi-Factor Authentication ...”

SafeNet Trusted Access is a cloud-based access management solution that provides commercial, off-the-shelf multi-factor authentication with the broadest range of hardware and software authentication methods and form factors for cybersecurity protection.

Part D. 2, i:

“Include audit trails within the Information Security Programme designed to detect and respond to Cybersecurity Events”

The Thales Data Security Solutions all maintain extensive access logs and prevent unauthorised access. In particular, CipherTrust Transparent Encryption security intelligence logs and reports streamline compliance reporting and speed up response to cybersecurity events using leading security information and external SIEM systems.

In addition, CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) watches for abnormal I/O activity on files hosting business critical data on a per process basis. It allows administrators to alert/block suspicious activity before ransomware can take hold of your endpoints/servers. It defends against ransomware even when the ransomware is installed prior to CTE-RWP.

SafeNet Trusted Access allows organisations to respond and mitigate the risk of data breach by providing an immediate, up to date audit trail of all access events to all systems.

Part D. 2, k:

“Develop, implement, and maintain procedures for the secure disposal of Nonpublic Information in any format.”

CipherTrust Data Security Platform encryption and tokenisation solutions rely on cryptographic keys to encrypt and decrypt data. This means you can selectively “destroy” data simply by destroying the encryption keys for that data.

Related resources

Data Security Solutions for NAIC Compliance - Solution Brief

Data Security Solutions for NAIC Compliance - Solution Brief

Discover how Thales solutions support NAIC compliance with data security measures like encryption, identity management, and audit trails for insurance providers.  The National Association of Insurance Commissioners (NAIC) Data Security Law (Model Law) requires insurers...

Compliance Requirements for American Financial Services Organizations

Compliance Requirements for American Financial Services Organizations - eBook

This eBook covers some of the most important regulations affecting Financial Services organizations in the United States and how Thales cybersecurity solutions help meet requirements for risk management, data privacy, access management and much more. Included regulations:...

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.

PCI DSS

Mandate
Active Now

Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbour” clause.