U.S. Treasury Expresses National Perspective In Response to NAIC Insurance Data Security Model Law

On October 26, 2017, the U.S. Department of Treasury released a 176-page Report examining the current regulatory framework for asset management and insurance industries.  The Report, titled A Financial System That Creates Economic Opportunities: Asset Management and Insurance, identifies laws and regulations that are inconsistent with the Trump Administration’s Core Principles for financial regulation as set forth in Executive Order 13772 (Feb. 3, 2017), and makes recommendations to ensure alignment.  For data privacy and security, the Report commented on the Insurance Data Security Model Law (the “Model Law”) adopted by the National Association of Insurance Commissioners’ (the “NAIC”) on October 24, 2017 (for more information on the development of the Model Law, see our prior coverage).  The Model Law attempts to set a baseline for cybersecurity, although it depends on legislative action on the state level.

This Report may significantly impact the evolution of state-law cybersecurity regulations for the financial services sector. The NYDFS regulations require that Covered Entities certify their compliance with the regulations by February 15, 2018. Since the NYDFS regulations were promulgated, other states are evaluating adoption of their own cybersecurity regulations or legislation, leading to concerns about a proliferation of state cyber regulations and compliance with numerous, and potentially conflicting requirements.

In the Report, the Treasury states that although it supports state-based systems of insurance regulation, “data security, data breach notifications, and more broadly, cybersecurity are also issues of national concerns.”  Report at 117.  The Report continued, “U.S. insurers should be subject to the same requirements for cybersecurity and protection of PII and PHI regardless of where they are domiciled and operate, and U.S. policyholders should be able to expect the same level of protection of their personal data regardless of where they live.”  Id.  The Treasury also expressed concern that the Model Law does not require data breach notification to consumers (as notification is currently only required if there is already an applicable state data breach notification law).

In response, the Treasury recommends:

  • Data Security Regulation – Prompt adoption of the NAIC Insurance Data Security Model Law by the states.  If such adoption and implementation does not result in uniform data security regulations within 5 years, Congress should step in and pass a law (but, leave supervision and enforcement of it to the states).
  • Data Breach Notification Requirements – States and the NAIC should work to expeditiously pass uniform legislation regarding data breach notification for insurers.  If such adoption and implementation does not result in uniform data breach notification requirements within 5 years, Congress should step in and pass a law (but, the Treasury recommends, leave supervision and enforcement of breach notification to the states).
  • Information Sharing – Treasury and state insurance regulators should continue to promote insurer participation in the FS-ISAC and similar entities to share information with each other about threats and best practices, and collaborate with the public sector on cybersecurity issues.