Two more state governors, those of Maine and North Dakota, have signed bills into law that adopt the National Association of Insurance Commissioners (NAIC) data security model law (Model Law). Maine and North Dakota join several other states that have already passed similar laws. Hawaii, Idaho, Illinois, Iowa, Minnesota, Rhode Island, and Wisconsin have similar bills pending.

What is the NAIC Model Law and to Whom Does it Apply?

According to the NAIC, the Model Law “seeks to establish standards for regulators and insurers in order to mitigate the potential damage of a data breach. The law applies to insurers, insurance agents and other entities licensed by the state department of insurance.”

What Does the Model Law Require?

The Model Law requires insurers and regulated entities licensed by state insurance departments to develop, implement, and maintain an information security program based on its risk assessment, with a designated employee in charge of the information security program. The Model Law also requires licensees to investigate a cybersecurity event and notify the state insurance commissioner. Licensees are required to implement an incident response plan.

Both the Maine and the North Dakota laws will not take effect right away. Maine’s Model Law is effective January 1, 2022, with one section regarding compliance with third-party service provider arrangements effective January 1, 2023. The North Dakota law takes effect on August 1, 2022, with one section regarding the obligation to document and report cybersecurity events and related incident response activities effective August 1, 2023.

Applus Technologies, Inc., a vendor of multiple state Departments of Motor Vehicles that assists states with vehicle inspections, recently announced that its systems have been affected by malware, disrupting motor vehicle inspections in Connecticut, Georgia, Idaho, Illinois, Massachusetts, New York, Texas, and Utah. As a result of the outage, vehicle inspections have not been able to be completed since March 30, 2021.

This is obviously very inconvenient for those individuals whose inspection stickers have or will expire shortly, as they are at risk of being issued a citation for an expired inspection sticker, on top of having to take time off to take their car to get inspected.

To address this concern, the Massachusetts Registry of Motor Vehicles (RMV) said, “[R]ecognizing the inconvenience Applus’ outage is causing, the RMV has been in communication with law enforcement to request cooperation and discretion in citing those with an expired sticker who may have attempted to visit a station this week.” The RMV has extended a grace period of one month to drivers who were unable to get their inspection stickers because of the outage.

After inspections were delayed a week, on April 7, 2021, Applus forwarded a software patch to service stations to try to fix the problem. However, it is being reported that Applus forwarded the patch to service stations on flash drives! Flash drives are notorious for being used to plant malicious malware and ransomware in users’ systems. Sending a patch on a flash drive is completely contradictory to security best practices.

Applus has stated that it does not believe that any customer (i.e., service station) financial information has been compromised, but is working with a forensic expert.

Lesson learned: get your inspection sticker in plenty of time before it expires.