NAIC Drafts Cybersecurity “Bill of Rights” for Insurance Consumers

On July 27, 2015, the Cybersecurity Task Force (Cybersecurity Task Force) of the National Association of Insurance Commissioners (NAIC) released a draft cybersecurity “Bill of Rights” suggesting certain rights for insurance consumers to have their personal information protected by insurance companies, insurance producers and other entities regulated by state insurance departments. Comments on the draft were due by close of business on August 10, 2015 and a final version could be adopted during the NAIC’s upcoming National Meeting in Chicago in mid-August 2015. The Cybersecurity Bill of Rights is one of several insurance regulatory measures designed to safeguard personal information of insurance consumers, which is particularly vulnerable in data breaches because it often contains social security numbers, financial information, addresses and sensitive medical information.  Cybersecurity has become an even higher priority among insurance regulators since the Anthem, Inc. data breach and the NAIC formed the Cybersecurity Task Force to coordinate regulatory efforts in this area.

Adoption of the Bill of Rights by the NAIC would not have binding legal impact on any state.  Nonetheless, it will likely influence state regulators and legislators in expanding insurance consumer protections and requiring that additional steps be taken by insurance companies and producers to protect data and mitigate breaches. The summary below refers to the specified “rights” as though they were potentially binding.

The draft Bill of Rights makes clear that insurance consumers have the right, in principle, to know what personally identifiable information is being collected in connection with insurance transactions, the right to expect that information is adequately protected from disclosure, and the right to a copy of the regulated entity’s privacy policy concerning data collection and protection.   If an insurance consumer’s personally identifiable information may have been acquired by an unauthorized person, then the insurance consumer would have the right (among other things) to notice and information about the data breach within a specified period of time and a list of steps that have been taken to restore security and confidentiality.  The Bill of Rights also would entail that insurance consumers be given information on how to additionally protect themselves following a data breach (including their rights under the Fair Credit Reporting Act) and information about placing security freezes on consumer credit reports with nationwide consumer reporting agencies.  Insurance consumers would also have the right to receive a minimum of two years of identity theft protection from the regulated entity.

Another initiative, focused more on prevention of data breaches, was the adoption by the NAIC last month of  Principles for Effective Cybersecurity Insurance Regulatory Guidance (Cybersecurity Principles).  The Cybersecurity Principles are twelve principles outlining the safeguards that insurance companies are expected to have in place in order to protect consumers from cybersecurity breaches.  Among other things, the Cybersecurity Principles require that cybersecurity regulatory guidance for insurance companies be “flexible, scalable, practical and consistent with nationally recognized efforts” such as those embodied in the National Institute of Standards and Technology (NIST) framework. The original draft of the Cybersecurity Principles required encryption of sensitive data collected and stored, and transferred inside or outside of an insurance company/producer’s network.  However, after discussing the mechanics of encryption, the final version of the Cybersecurity Principles as adopted was revised to more broadly require that data be “appropriately safeguarded” rather than encrypted.