🇺🇸 Live Privacy & Data Protection

NAIC Insurance Data Security Model Law

Requires insurance licensees to develop, implement, and maintain an information security program to protect nonpublic information from unauthorized access. Applies to insurers, agents, and other entities licensed by state insurance departments.

View official source document

11

Rules extracted

96

Obligations decomposed

8.7x

Avg obligations per rule

🇺🇸 United States

Jurisdiction

About this regulation

Model law adopted by 23+ states. Establishes data security standards for insurance licensees including information security programs, incident response, investigation, and notification requirements.

What AuditDSS covers

Source

1

Regulation

Extracted

11

Rules

Decomposed

96

Obligations

8.7x

Decomposition ratio

Each rule is decomposed into an average of 8.7 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 96 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in Model Law #668 is scored across independent risk dimensions:

W

Obligation Weight

How critical within the regulatory framework

L

Violation Likelihood

How often breached in practice

E

Enforcement Evidence

Regulator enforcement history and penalties

C

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title
NAIC Insurance Data Security Model Law
Regulatory body
National Association of Insurance Commissioners
Jurisdiction
🇺🇸 United States
Document type
model-law
Effective date
October 24, 2017
Issuing authority
National Association of Insurance Commissioners (NAIC)
Industry
Privacy & Data Protection
Official source
View source document ↗

Who this applies to

insurance licensees

Key requirements

  • information security program
  • risk assessment
  • third-party service provider security
  • program oversight
  • incident response plan
  • cybersecurity event investigation
  • commissioner notification
  • 72-hour notification deadline

Frequently asked questions about Model Law #668

What is Model Law #668?
Model law adopted by 23+ states. Establishes data security standards for insurance licensees including information security programs, incident response, investigation, and notification requirements.

Who does Model Law #668 apply to?
Model Law #668 applies to insurance licensees.

How many obligations does Model Law #668 contain?
AuditDSS has decomposed Model Law #668 into 96 atomic obligations from 11 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of Model Law #668?
The key requirements include: information security program, risk assessment, third-party service provider security, program oversight, incident response plan, cybersecurity event investigation, commissioner notification, 72-hour notification deadline.

How can I assess my Model Law #668 compliance?
Upload your compliance policy to AuditDSS. The platform maps your document against all 96 Model Law #668 obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces Model Law #668?
Model Law #668 is enforced in United States by National Association of Insurance Commissioners.

When did Model Law #668 come into effect?
Model Law #668 became effective on October 24, 2017.

What industry does Model Law #668 apply to?
Model Law #668 is primarily relevant to the Privacy & Data Protection industry. AuditDSS covers 71 regulations in this industry sector.

Build a Model Law #668 compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for Model Law #668 — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering Model Law #668 requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine Model Law #668 with other regulations into a single unified compliance pack for your business.

Build Model Law #668 compliance pack

Already have a policy? Assess it against Model Law #668

1

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

2

AI maps against 96 obligations

Your document is scored against every obligation in Model Law #668. Each claim is mapped to the obligation tree and evaluated for coverage.

3

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.

Related regulations in Privacy & Data Protection

🇦🇺 Live

Fair Work Act 2009

16 rules, 260 obligations
🇦🇺 Live

Modern Slavery Act 2018

9 rules, 135 obligations
🇦🇺 Live

Privacy Act 1988

29 rules, 203 obligations
🇦🇺 Live

SOCI Act 2018

10 rules, 32 obligations
🇦🇺 Live

Model WHS Act

10 rules, 41 obligations
🇧🇷 Live

LGPD

19 rules, 200 obligations
🇺🇸 Live

CCPA/CPRA

46 rules, 572 obligations
🇨🇳 Live

CSL

8 rules, 201 obligations

Assess your Model Law #668 compliance

Upload your document and get a risk-scored gap analysis against 96 Model Law #668 obligations in under 5 minutes.

Start assessment Browse all regulations