Dec 72017

U.S. Treasury Expresses National Perspective In Response to NAIC Insurance Data Security Model Law

Colleen Theresa Brown, Charlene McHugh and Stephen W. McInerney
, , , , , , ,

On October 26, 2017, the U.S. Department of Treasury released a 176-page Report examining the current regulatory framework for asset management and insurance industries.  The Report, titled A Financial System That Creates Economic Opportunities: Asset Management and Insurance, identifies laws and regulations that are inconsistent with the Trump Administration’s Core Principles for financial regulation as set forth in Executive Order 13772 (Feb. 3, 2017), and makes recommendations to ensure alignment.  For data privacy and security, the Report commented on the Insurance Data Security Model Law (the “Model Law”) adopted by the National Association of Insurance Commissioners’ (the “NAIC”) on October 24, 2017 (for more information on the development of the Model Law, see our prior coverage).  The Model Law attempts to set a baseline for cybersecurity, although it depends on legislative action on the state level.

This Report may significantly impact the evolution of state-law cybersecurity regulations for the financial services sector. The NYDFS regulations require that Covered Entities certify their compliance with the regulations by February 15, 2018. Since the NYDFS regulations were promulgated, other states are evaluating adoption of their own cybersecurity regulations or legislation, leading to concerns about a proliferation of state cyber regulations and compliance with numerous, and potentially conflicting requirements.

In the Report, the Treasury states that although it supports state-based systems of insurance regulation, “data security, data breach notifications, and more broadly, cybersecurity are also issues of national concerns.”  Report at 117.  The Report continued, “U.S. insurers should be subject to the same requirements for cybersecurity and protection of PII and PHI regardless of where they are domiciled and operate, and U.S. policyholders should be able to expect the same level of protection of their personal data regardless of where they live.”  Id.  The Treasury also expressed concern that the Model Law does not require data breach notification to consumers (as notification is currently only required if there is already an applicable state data breach notification law).

In response, the Treasury recommends:

  • Data Security Regulation – Prompt adoption of the NAIC Insurance Data Security Model Law by the states.  If such adoption and implementation does not result in uniform data security regulations within 5 years, Congress should step in and pass a law (but, leave supervision and enforcement of it to the states).
  • Data Breach Notification Requirements – States and the NAIC should work to expeditiously pass uniform legislation regarding data breach notification for insurers.  If such adoption and implementation does not result in uniform data breach notification requirements within 5 years, Congress should step in and pass a law (but, the Treasury recommends, leave supervision and enforcement of breach notification to the states).
  • Information Sharing – Treasury and state insurance regulators should continue to promote insurer participation in the FS-ISAC and similar entities to share information with each other about threats and best practices, and collaborate with the public sector on cybersecurity issues.
Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Charlene McHugh

cmchugh@sidley.com

Stephen W. McInerney

Chicago

smcinerney@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1