Jun 92016

Robust Debate at NAIC Cybersecurity Task Force Interim Meeting Highlights Concerns with Draft Insurance Data Security Model Law

Elizabeth MacGill, Colleen Theresa Brown and Charlene McHugh
, , , , ,

On May 24-25, 2016, the Cybersecurity (EX) Task Force of the National Association of Insurance Commissioners (NAIC) held a two-day interim meeting in Washington, D.C. to discuss the Task Force’s preliminary draft of a model law outlining data security standards applicable to insurance licensees.  The Draft Insurance Data Security Model Law (“the Draft Model Law”), first released for public comment on March 2, 2016, would apply to all licensed insurers, producers and other persons licensed or required to be licensed (or authorized or required to be authorized, or registered or required to be registered) pursuant to state insurance laws (“Insurance Licensees”).

The Draft Model Law is intended to establish the exclusive standards for data security and breaches applicable to Insurance Licensees in states adopting the Draft Model Law. If adopted in all states, the Draft Model Law would unify insurance cybersecurity requirements so that Insurance Licensees are not subject to multiple (and inconsistent) requirements imposed by each state where Insurance Licensees transact insurance. To emphasize its comprehensive nature, the Draft Model Law references the McCarran-Ferguson Act, asserting that the Draft Model Law is intended to regulate the business of insurance. The Draft Model Law provides that no other state or federal law or regulation regarding data security (or investigation or notification of a data security breach), will apply to Licensees subject to the Draft Model Law. More information on the purpose of the Draft Model Law may be found in the 2016 Sidley Global Insurance Review (pp. 39-40).

Since the Draft Model Law was first exposed by the Task Force for comment on March 2, 2016, both industry and consumer groups expressed a number of concerns with the Draft Model Law, and the lengthy meeting was held in order to address the overwhelming number of comments received by the Task Force and allow stakeholders to offer feedback.

At the meeting, representatives from both the insurance industry and consumer groups weighed in on the strengths and weaknesses of the Draft Model Law.  At the end of the meeting, the Task Force did not take any formal action or vote regarding the Draft Model Law, but it will consider the comments received as it finalizes the Draft Model Law.  The following aspects of the Draft Model Law received the most attention at the meeting:

Questions about Exclusivity of Cybersecurity Standards and Duplication with Other Existing Cybersecurity Legal Requirements:

As noted above, the Draft Model Law purports to contain the “exclusive standards” regarding data security and investigation/notification of data security breaches. Section 2 provides that “no other provision of state or federal law or regulation regarding data security or investigation or notification of a breach of data security shall apply” to Insurance Licensees subject to the Draft Model Law. As well, Section 5 would require Insurance Licensees to provide consumers with information about their data collection practices and impose a variety of related mandates – actions that are already required under the federal Gramm-Leach-Bliley Act (GLBA). Several commenters expressed concerns about how the Draft Model Law would interact (and possibly conflict) with existing state and federal laws governing insurance privacy issues. For example, the National Association of Professional Insurance Agents (PIA) and Risk and Insurance Management Society, Inc. (RIMS) questioned how Section 2 of the Draft Model Law would apply in light of existing federal laws, such as the federal Health Insurance Portability and Accountability Act (HIPAA) and the Cybersecurity Information Sharing Act.

Other commenters noted potential inconsistencies between the Draft Model Law and the GLBA. The GLBA requires Insurance Licensees to establish procedures to ensure the “security and confidentiality of customer records and information” and to “protect against any anticipated threats or hazards to the security or integrity of such records.” While the Draft Model Law arguably contains procedures and protections that comply with the GLBA, some commenters pointed out that the NAIC (and states) have already passed laws and regulations containing such requirements and procedures, and therefore, it would make more sense to revise existing laws to incorporate additional protections rather than remove these existing laws. As well, both the American Insurance Association (AIA) and the American Council of Life Insurers (ACLI) expressed concern that the Draft Model Law may result in duplicative requirements within a state. AIA noted that an insurer could face enforcement actions by both state insurance commissioners and state attorneys general. While the Task Force made no decisions about how it should address these exclusivity and consistency concerns, the Task Force appeared to appreciate the need to address the issue.

Defining Key Terms:

Breach of Security.  The definitions of certain key terms in the Draft Model Law proved to be one of the most contentious conversation points among stakeholders at the meeting. Several groups highlighted the importance of defining “breach of security.” For example, ACLI suggested that “breach” should exclude the good faith acquisition of the information by an employee or agent of a licensee, which is a common provision in state data breach notification laws. Consumer group Center for Economic Justice (CEJ) took issue with the Draft Model Law’s exclusion of encrypted information in the definition of “breach of security.” The CEJ argued that the definition of “encryption” was immensely vague, and that any exemption for “encrypted” data should apply to data that meets specific standards that would ensure consumer safety. Such a suggestion, if taken, would represent another significant deviation from other data breach notification laws that provide for an encryption safe harbor without defining the technical standards, given the pace of innovation.  The CEJ also criticized the “substantial harm” trigger for notification.  The debate on the definition of “breach of security” illustrated tension between the consumer protection goals and the practical implementation needs that was present at times at the meeting.

Personal Information.  The definition of “personal information” was also debated at the meeting. ACLI proposed that the Draft Model Law be modified to add a definition of “sensitive personal information” distinguishable from “personal information.” ACLI suggested making security requirements applicable to “personal information” and breach notification requirements applicable to “sensitive personal information.” Other stakeholders did not support ACLI’s recommendation to modify “personal information” in this manner. While the Property Casualty Insurers Association of America (PCI) was likewise concerned about the breadth of “personal information,” PCI did not support the two tiered approach for personal information.

Breach Notification Obligations:

Some of the most pointed criticism of the Draft Model Law centered on subsection 7.D.(3),  which specifies breach notification obligations. Subsection 7.D.(3) includes a requirement that Licensees “provide to the commissioner a draft of the proposed written communication to consumers” to review and potentially edit the notice prior to the notification.  ACLI brought attention to the Draft Model Law’s lack of specificity about which commissioner would need to receive the proposed communication to consumers. It is unclear whether Licensees must work with one commissioner, or perhaps the commissioner of each state in which an affected individual resides, a requirement that would create an enormous burden on complying with notification obligations.  ACLI’s concern focused on the inefficiency of sending drafts of its proposed consumer notices to 50 different state commissioners. Criticism was raised from several commenters that the Draft Model Law’s approach to providing notice to consumers would delay notice and result in inconsistent consumer protection across the country. The Task Force will likely need to address the ambiguity about which “commissioner” is required to receive the proposed written communication and consider the practical burdens of receiving approval for the content of notice prior to notification—particularly where notices may be required under multiple applicable state laws—as it modifies the Draft Model Law.

Possibility of Private Action:

Section 15 of the Draft Model Law provides for individual remedies, and the insurance industry representatives at the meeting strongly resisted the creation of a private right of action through the Model Law. PIA argued that “allowing for a private right of action creates an unnecessary layer of enforcement against licensees, who are already subject to robust mechanisms for regulatory fines and penalties for violations.” The American Land Title Association (ALTA) likewise criticized the creation of a private right of action because ALTA viewed creation of such a right as the function of a legislature,  not a responsibility of the Task Force. While the consumer group CEJ highlighted the value in a private right of action, it ultimately acknowledged during the meeting that the provision could be removed where consumers were protected by a strong notification obligation without a risk of harm trigger.

Moving Forward:

The Task Force extended the deadline to submit follow-up comments until close of business on June 3, 2016.

Elizabeth MacGill

Elizabeth.MacGill@sidley.com

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Charlene McHugh

cmchugh@sidley.com

You might also like
How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).

Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action

On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.