NAIC Model Law State-by-State Adoption

The NAIC Insurance Data Security Model Law (MDL-668) was designed to be adopted by individual states, each of which may modify the model language to suit its regulatory environment. Since South Carolina became the first state to adopt in 2018, the pace of adoption has accelerated significantly. As of early 2026, over 25 states have enacted legislation based on or substantially similar to the model law, with several more actively considering adoption. This rapid adoption creates a landscape where insurance licensees operating across state lines face a patchwork of similar but not identical requirements. While the core obligations — written information security program, risk assessment, incident response, and breach notification — remain consistent, the specific thresholds, timelines, and exemptions vary meaningfully from state to state. For multi-state agencies and brokerages, this means compliance cannot be a one-size-fits-all exercise. Understanding which states have adopted the law, what each version requires, and where the critical differences lie is essential to building an efficient compliance program.

Several states are notable for their early adoption or unique requirements: South Carolina (2018) — The first state to adopt, South Carolina's Insurance Data Security Act closely mirrors the NAIC model law. It applies to all licensees and has a 72-hour breach notification requirement to the Department of Insurance. Ohio (2018) — Ohio's version includes a safe harbor provision: licensees that comply with recognized cybersecurity frameworks (NIST CSF, ISO 27001, FedRAMP, etc.) receive an affirmative defense against state data breach lawsuits. This safe harbor is unique and provides a strong incentive for framework-based compliance. Michigan (2018) — Michigan adopted the model law with few modifications, applying to all licensees with more than 10 employees. The Department of Insurance and Financial Services actively monitors compliance. Connecticut (2020) — Connecticut's adoption includes specific requirements for domestic insurers to include cybersecurity in their annual enterprise risk reports. New York — While New York has not adopted the NAIC model law directly, the NYDFS Cybersecurity Regulation (23 NYCRR 500) predates the model law and is more prescriptive. Insurance entities licensed in New York must comply with the NYDFS regulation, which has been updated multiple times through 2025. Virginia (2020), New Hampshire (2019), Iowa (2020), and Indiana (2020) — These states adopted the model law with relatively few modifications, creating a consistent baseline across the Midwest and Northeast.

While state adoptions share a common core, several areas of variation significantly impact compliance planning: Small entity exemptions — The model law suggests exempting licensees with fewer than 10 employees, but states have modified this threshold. Some states use 25 employees, others use revenue or premium thresholds, and a few have no small entity exemption at all. If you operate in a state without a small entity exemption, you must implement the full program regardless of your agency's size. Breach notification timelines — The model law recommends 72 hours for notifying the insurance commissioner after determining a cybersecurity event has occurred. Some states have shortened this to 48 hours, while others allow up to 5 business days. Consumer notification timelines also vary, with some states requiring notification within 30 days and others allowing 60 days. Safe harbor provisions — Ohio's safe harbor provision is the most well-known, providing an affirmative defense against data breach lawsuits for entities that comply with recognized frameworks. A handful of other states have adopted similar provisions, but most have not. Understanding whether your state offers a safe harbor can influence your compliance strategy and framework selection. Third-party oversight requirements — Some state adoptions include specific requirements for contractual provisions with service providers, while others use the model law's more general language. States with specific requirements may mandate particular contractual clauses around breach notification, audit rights, and data handling. Regulatory reporting — Annual certification or compliance attestation requirements vary significantly. Some states require affirmative annual certification to the insurance commissioner, while others rely on examination-based oversight.

For agencies and brokerages operating across multiple states, the most practical approach is to comply with the most stringent version: Identify your strictest state — Review the adoption details for every state where you hold a license. Identify the version with the shortest notification timelines, lowest exemption thresholds, and most detailed requirements. Build your program to meet that standard. Use a recognized framework as your foundation — Implementing NIST CSF 2.0 or CIS Controls as the basis for your information security program provides a defensible standard that satisfies all state versions. This approach also qualifies you for safe harbor provisions in states that offer them. Centralize your documentation — Maintain a single written information security program, risk assessment, and incident response plan that addresses the most stringent requirements. Supplement with state-specific appendices where necessary (e.g., notification timelines, regulatory contacts). Automate external monitoring — Use Cyber Defense Agent to continuously monitor your external security posture across all your domains and digital assets. A single scan covers the technical control verification that every state version requires, eliminating the need to conduct separate assessments for each jurisdiction. Track adoption changes — The NAIC model law adoption landscape continues to evolve. New states adopt the law, existing states amend their versions, and regulatory guidance shifts. Subscribe to NAIC updates and work with your compliance counsel to stay current.

Managing compliance across multiple state adoptions of the NAIC model law can be complex, but Cyber Defense Agent streamlines the technical dimension: Unified scanning — A single Cyber Defense Agent scan evaluates your external security posture against every technical control that any state version requires. Whether the requirement is encryption, email authentication, vulnerability management, or access controls, our 100-tool scan covers it. Framework mapping — Scan results map to NIST CSF 2.0 and CIS Controls, which are recognized by all state versions as reasonable security frameworks and qualify for safe harbor provisions where available. Consistent evidence — Your Cyber Defense Score, compliance report, and trust page provide consistent documentation that works across all jurisdictions. When a state regulator or carrier partner asks for evidence of your security posture, you have a single, authoritative source. Vendor monitoring — Extend your scanning to vendors and service providers, satisfying third-party oversight requirements across all states with a single platform. Start your free scan at cyberdefenseagent.ai/check to establish your baseline security posture and begin building multi-state compliance evidence.