United States of America: Maryland: Insurance Carriers and Managed Care Organizations Bill approved by the Governor (SB0207/CH0231)

On 21 April 2022, the Insurance Carriers and Managed Care Organizations - Cybersecurity Standards Bill was signed by the Governor of Maryland. It is based on the National Association of Insurance Commissioners (NAIC) called the Insurance Data Security Model Law which has already been adopted by 15 other US States. The Bill will enter into full force on 1 October 2022 and introduces a data security framework for insurance carriers that requires them to conduct self-evaluations of their risk profile and how to mitigate it. Based on these reports, the insurance carriers need to develop their own in-house security strategy around their data collection and storage, including the training of employees and the creation of a specific response plan for possible cyber-incidents. Finally, the insurance carriers are obligated to create a reporting system to their board of directors around their vulnerabilities, their level of compliance with the data security law, and what decisions were taken around data risk mitigation.