Aug 132015

NAIC Drafts Cybersecurity “Bill of Rights” for Insurance Consumers

Alan Charles Raul, Andrew R. Holland and Charlene McHugh
, ,

On July 27, 2015, the Cybersecurity Task Force (Cybersecurity Task Force) of the National Association of Insurance Commissioners (NAIC) released a draft cybersecurity “Bill of Rights” suggesting certain rights for insurance consumers to have their personal information protected by insurance companies, insurance producers and other entities regulated by state insurance departments. Comments on the draft were due by close of business on August 10, 2015 and a final version could be adopted during the NAIC’s upcoming National Meeting in Chicago in mid-August 2015. The Cybersecurity Bill of Rights is one of several insurance regulatory measures designed to safeguard personal information of insurance consumers, which is particularly vulnerable in data breaches because it often contains social security numbers, financial information, addresses and sensitive medical information.  Cybersecurity has become an even higher priority among insurance regulators since the Anthem, Inc. data breach and the NAIC formed the Cybersecurity Task Force to coordinate regulatory efforts in this area.

Adoption of the Bill of Rights by the NAIC would not have binding legal impact on any state.  Nonetheless, it will likely influence state regulators and legislators in expanding insurance consumer protections and requiring that additional steps be taken by insurance companies and producers to protect data and mitigate breaches. The summary below refers to the specified “rights” as though they were potentially binding.

The draft Bill of Rights makes clear that insurance consumers have the right, in principle, to know what personally identifiable information is being collected in connection with insurance transactions, the right to expect that information is adequately protected from disclosure, and the right to a copy of the regulated entity’s privacy policy concerning data collection and protection.   If an insurance consumer’s personally identifiable information may have been acquired by an unauthorized person, then the insurance consumer would have the right (among other things) to notice and information about the data breach within a specified period of time and a list of steps that have been taken to restore security and confidentiality.  The Bill of Rights also would entail that insurance consumers be given information on how to additionally protect themselves following a data breach (including their rights under the Fair Credit Reporting Act) and information about placing security freezes on consumer credit reports with nationwide consumer reporting agencies.  Insurance consumers would also have the right to receive a minimum of two years of identity theft protection from the regulated entity.

Another initiative, focused more on prevention of data breaches, was the adoption by the NAIC last month of  Principles for Effective Cybersecurity Insurance Regulatory Guidance (Cybersecurity Principles).  The Cybersecurity Principles are twelve principles outlining the safeguards that insurance companies are expected to have in place in order to protect consumers from cybersecurity breaches.  Among other things, the Cybersecurity Principles require that cybersecurity regulatory guidance for insurance companies be “flexible, scalable, practical and consistent with nationally recognized efforts” such as those embodied in the National Institute of Standards and Technology (NIST) framework. The original draft of the Cybersecurity Principles required encryption of sensitive data collected and stored, and transferred inside or outside of an insurance company/producer’s network.  However, after discussing the mechanics of encryption, the final version of the Cybersecurity Principles as adopted was revised to more broadly require that data be “appropriately safeguarded” rather than encrypted.

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Andrew R. Holland

New York

aholland@sidley.com

Charlene McHugh

cmchugh@sidley.com

You might also like
New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).

Regulatory Update: National Association of Insurance Commissioners Spring 2023 National Meeting
The National Association of Insurance Commissioners (NAIC) held its Spring 2023 National Meeting (Spring Meeting) March 21–25, 2023. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include continued development of accounting principles and investment limitations related to certain types of bonds and structured securities, continued discussion of considerations related to private equity (PE) ownership of insurers, new initiatives to address innovation and technology in the insurance sector, and continued development of a new consumer privacy protections model law.
U.S. Securities and Exchange Commission Proposes Three Rules Related to Cybersecurity, Reopens Comment for One Rule

On March 15, 2023, the U.S. Securities and Exchange Commission (SEC) proposed three rules related to cybersecurity and the protection of consumer information and reopened the comment period for a proposed cybersecurity rule for investment advisers and funds. This significant action would impose new cybersecurity requirements for several SEC-registered entities, including with respect to these entities’ policies, incident response and notification procedures, and cybersecurity risk management. This Sidley commentary and analysis discusses the key features of each proposal, including new requirements and differences among each of the proposals.