New Insurance Data Security Laws In Maryland And Kentucky

New Insurance Data Security Laws In Maryland And Kentucky

The States of Maryland and Kentucky both enacted into their respective systems new laws placing new legal requirements on insurance businesses.

So What Is Changing?

The new reforms will oblige insurance companies to:

  • assess whether a cybersecurity incident has occurred
  • notify the Insurance Commissioner within three days of becoming aware of cybersecurity events
  • tackle risks to cyber-security in its respective risk management procedure
  • take preventative action to mitigate the risk of data breaches by:
  • keeping a record evidencing that they have complied with their data security initiative and those of State law
  • staying on the pulse of new threats which can pose a risk to the system
  • sending a yearly compliance certificate to the Insurance Commission
  • enacting and implementing a full written data security initiative that bakes in:
  • risk assessment and management measures
  • measures to safeguard information and secure data
  • testing of cybersecurity
  • training staff on data protection and cybersecurity
  • strategies to respond to data protection incidents and
  • a communication plan whereby affected insurance company boards of directors will be required to provide evidence of their compliance efforts.

Why Are Kentucky And Maryland Adopting These Changes?

The new measures entered the State legislation of Maryland on 21st April 2022 after the Governor of Maryland Larry Hogan put pen to paper on a law known as HB474 which will come into force on 1st October 2023. They are based upon the Insurance Data Security Model Law otherwise known as MDL668. From that date, the clock will be ticking and affected insurance companies will have to take into account two dates. The first is the one-year timeframe or specifically until 1st October 2023 to prepare for the obligation to have the above-written security initiatives in place. The second is the deadline of 1st October 2024 for affected insurance companies in Maryland to bring in the promulgated supervisory obligations.

By way of contrast, in Kentucky, the law will enter force two months later on 1st January 2023. It will be along the same lines as Maryland and affected insurance providers will be obliged to introduce written security initiatives and have two years to prepare for the changes.

What Should Lawyers Be Advising?

Affected Insurance company in-house or external lawyers in the State of Maryland will no doubt be busy over the next five months helping their clients prepare for the advent of this legislation on 1st October 2022. Those clients will need to be as prepared as they can by this date to ensure they are ready for the changes.

Lawyers and Data Protection Officers will be at the forefront advising clients on the:

  • assessment as to whether a data breach has occurred
  • 3-day deadline for reporting data breaches to the relevant Insurance Commissioner
  • internal data security initiatives and whether they are compliant with the above legal obligations and
  • respective one and two-year deadlines to comply with the oversight requirements.

The Legists Content Team


#Bird&Bird #Bristows #Fieldfisher #HoganLovells #HuntonAndrewsKurth #LinklatersLLP #Allen&Overy #BakerMcKenzie #CMS #Covington&BurlingLLP #Dentons #EvershedSutherland #Latham&Watkins #NortonRoseFulbright #PinsentMasons #TaylorWessing #CliffordChance #DWF #HerbertSmithFreehills #MishcondeReya #OrrickHerrington&Sucliffe #OsborneClarkeLLP #PaulHastingsLLP #rReedSmith


[1] Hunton Andrews Kurth – Two States Enact Insurance Data Security Laws – 4th May 2022 – Two States Enact Insurance Data Security Laws | Privacy & Information Security Law Blog (

[2] Insurance Data Security Model Law - MDL-668 (

[3] Maryland Senate Bill 207 - MD SB207 | 2022 | Regular Session | LegiScan

[4] Kentucky House Bill 474 – 04/08/22 - 22RS HB 474 (



Stay Tuned

Receive regular news, updates, upcoming events and more...