Delaware Enacts Data Security Law

Signed into law on July 31.
August 27, 2019

The National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (MDL-668) has been passed in a number of states. The latest is Delaware.

Delaware Governor John Carney (D) signed its iteration into law on July 31. Some highlights:

Delaware’s law applies to all “licensees,” which are defined as people who are or should be licensed pursuant to the insurance laws of Delaware. Under the Delaware law, licensees are required to develop and put in place an information security program within one year from the date of passage of the law, and licensees are required to report some types of cybersecurity events to the Delaware insurance commissioner.

The Delaware law also allows the insurance commissioner to impose administrative (financial) penalties against licensees found to be violating this law. Like the others, it also requires that licensees develop, implement, and maintain a written information security policy (WISP), and it provides the insurance commissioner with the authority to investigate the activities of licensees to ensure compliance with the new law. Like most similar laws, the Delaware version provides for phased-in implementation over the course of one or two years, depending on the provision. –continue reading


Navigate in this section: