NAIC Amends Cybersecurity “Bill of Rights” for Insurance Consumers
On December 17, 2015, the Executive/Plenary Committees of the National Association of Insurance Commissioners (NAIC) unanimously adopted an amended version of the Cybersecurity “Bill of Rights.” Renamed the “NAIC Roadmap for Cybersecurity Consumer Protections,” the document now states that while the NAIC believes consumers are entitled to the delineated protections, not all are currently provided for under state law.
The Bill of Rights/Cybersecurity Roadmap was originally adopted by the NAIC’s Cybersecurity Task Force in Summer 2015 as a declaration of certain rights for insurance consumers related to protection of their personal data by insurers, insurance producers and other regulated entities. Our prior blog post on Sidley’s Data Matters describes the Bill of Rights, its history, and the problems associated with the version adopted by the Task Force.
The chief concern with the Bill of Rights has been its questionable binding legal impact on states, each of which regulates the business of insurance pursuant to laws that often vary by state. As originally published, the Bill of Rights suggested that insurance consumers were legally entitled to certain notices, information and actions related to data and data breaches that did not accurately reflect the law in many states.
The NAIC’s Cybersecurity Task Force recognized this problem, and in October 2015 adopted a revised version that included a statement that a consumer’s specific rights “may vary based on state and federal law.” Still, for many interested parties, the revised draft did not go far enough to clarify that the Bill of Rights is more of an “aspirational” document that merely outlines rights that the states should adopt, rather than create or codify existing law. Several industry participants, such as the American Council of Life Insurers (ACLI), American Insurance Association (AIA), National Association of Mutual Insurance Companies (NAMIC), National Association of Professional Insurance Agents (NAPIA), submitted comments to that effect.
Originally scheduled for hearing at a November meeting, the Bill of Rights was tabled for further discussion among regulators and interested parties. At a December 15, 2015 meeting, the NAIC’s Executive/Plenary Committees reached a compromise that included a change in title – the document is no longer a “Bill of Rights,” but rather a “Roadmap for Security Consumer Protections.” The prior statement that a consumer’s rights may vary based on state and federal law was removed, and the following preamble was added:
This document describes the protections the NAIC believes consumers are entitled to from insurance companies, agents and other businesses when they collect maintain and use your personal information, including what should happen in connection with a notice that your personal information has been involved in a data breach. Not all of these consumer protections are currently provided for under state law. This document functions as a Consumer Bill of Rights and will be incorporated into NAIC Model laws and regulations. If you have questions about data security, a notice you receive about a data breach, or other issues concerning your personal information in an insurance transaction, you should contact your state insurance department to determine your existing rights.
The amended Cybersecurity Roadmap, adopted on December 17, 2015, is available here.
The Executive/Plenary Committees also agreed to work with interested parties in drafting a new, comprehensive Cybersecurity Model Act/Regulation, rather than attempting to amend existing Model Laws to address cybersecurity rights. Interested parties such as the ACLI still disagree with certain provisions of the Cybersecurity Roadmap (including the right to one year of identity theft protection paid for by the insurer or agent involved in a data breach). However, rather than oppose adoption of the Cybersecurity Roadmap, they have agreed to further discuss such provisions during the process of creating a new NAIC Cybersecurity Model Act/Regulation.