Dec 222015

NAIC Amends Cybersecurity “Bill of Rights” for Insurance Consumers

Charlene McHugh and Thomas D. Cunningham
, , , ,

On December 17, 2015, the Executive/Plenary Committees of the National Association of Insurance Commissioners (NAIC) unanimously adopted an amended version of the Cybersecurity “Bill of Rights.”  Renamed the “NAIC Roadmap for Cybersecurity Consumer Protections,” the document now states that while the NAIC believes consumers are entitled to the delineated protections, not all are currently provided for under state law.

The Bill of Rights/Cybersecurity Roadmap was originally adopted by the NAIC’s Cybersecurity Task Force in Summer 2015 as a declaration of certain rights for insurance consumers related to protection of their personal data by insurers, insurance producers and other regulated entities.  Our prior blog post on Sidley’s Data Matters describes the Bill of Rights, its history, and the problems associated with the version adopted by the Task Force.

The chief concern with the Bill of Rights has been its questionable binding legal impact on states, each of which regulates the business of insurance pursuant to laws that often vary by state.  As originally published, the Bill of Rights suggested that insurance consumers were legally entitled to certain notices, information and actions related to data and data breaches that did not accurately reflect the law in many states.

The NAIC’s Cybersecurity Task Force recognized this problem, and in October 2015 adopted a revised version that included a statement that a consumer’s specific rights “may vary based on state and federal law.”  Still, for many interested parties, the revised draft did not go far enough to clarify that the Bill of Rights is more of an “aspirational” document that merely outlines rights that the states should adopt, rather than create or codify existing law.  Several industry participants, such as the American Council of Life Insurers (ACLI), American Insurance Association (AIA), National Association of Mutual Insurance Companies (NAMIC), National Association of Professional Insurance Agents (NAPIA), submitted comments to that effect.

Originally scheduled for hearing at a November meeting, the Bill of Rights was tabled for further discussion among regulators and interested parties.  At a December 15, 2015 meeting, the NAIC’s Executive/Plenary Committees reached a compromise that included a change in title – the document is no longer a “Bill of Rights,” but rather a “Roadmap for Security Consumer Protections.”  The prior statement that a consumer’s rights may vary based on state and federal law was removed, and the following preamble was added:

This document describes the protections the NAIC believes consumers are entitled to from insurance companies, agents and other businesses when they collect maintain and use your personal information, including what should happen in connection with a notice that your personal information has been involved in a data breach. Not all of these consumer protections are currently provided for under state law. This document functions as a Consumer Bill of Rights and will be incorporated into NAIC Model laws and regulations. If you have questions about data security, a notice you receive about a data breach, or other issues concerning your personal information in an insurance transaction, you should contact your state insurance department to determine your existing rights.

The amended Cybersecurity Roadmap, adopted on December 17, 2015, is available here.

The Executive/Plenary Committees also agreed to work with interested parties in drafting a new, comprehensive Cybersecurity Model Act/Regulation, rather than attempting to amend existing Model Laws to address cybersecurity rights.  Interested parties such as the ACLI still disagree with certain provisions of the Cybersecurity Roadmap (including the right to one year of identity theft protection paid for by the insurer or agent involved in a data breach). However, rather than oppose adoption of the Cybersecurity Roadmap, they have agreed to further discuss such provisions during the process of creating a new NAIC Cybersecurity Model Act/Regulation.

Charlene McHugh

cmchugh@sidley.com

Thomas D. Cunningham

Chicago

tcunningham@sidley.com

You might also like
How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).

The Future of UK Open Banking: Joint Regulatory Oversight Committee Issues Recommendations

The committee of government and regulatory authorities responsible for open banking in the UK has set out its plans and timeframes for expanding and developing infrastructure, standards, and processes for the sector. Central among these are proposals to improve the performance of interfaces among relevant firms, mitigate financial crime risks, and ensure that end users receive sufficient information and are protected if something goes wrong. This Sidley Update summarises the proposals and key points for firms.