On October 14, 2015, the Cybersecurity Task Force (Cybersecurity Task Force) of the National Association of Insurance Commissioners (NAIC) adopted a cybersecurity “Bill of Rights” that proposes certain rights for insurance consumers relating to the protection of their personal information by insurance companies, insurance producers and other entities regulated by state insurance departments. The Bill of Rights also outlines specific notices, information and actions that consumers should expect from such entities, particularly in the event of a data breach. This Bill of Rights, if adopted by NAIC’s Executive/Plenary Committees, could ultimately be incorporated in NAIC Model Acts and Regulations, and could be adopted by insurance companies on their own initiative.
On July 27, 2015, the Cybersecurity Task Force (Cybersecurity Task Force) of the National Association of Insurance Commissioners (NAIC) released a draft cybersecurity “Bill of Rights” suggesting certain rights for insurance consumers to have their personal information protected by insurance companies, insurance producers and other entities regulated by state insurance departments. Comments on the draft were due by close of business on August 10, 2015 and a final version could be adopted during the NAIC’s upcoming National Meeting in Chicago in mid-August 2015. The Cybersecurity Bill of Rights is one of several insurance regulatory measures designed to safeguard personal information of insurance consumers, which is particularly vulnerable in data breaches because it often contains social security numbers, financial information, addresses and sensitive medical information. Cybersecurity has become an even higher priority among insurance regulators since the Anthem, Inc. data breach and the NAIC formed the Cybersecurity Task Force to coordinate regulatory efforts in this area.
New legislation out of Hartford means that Connecticut joins Massachusetts in imposing strict state requirements for data protection. S.B. 949. Additionally, the new law amends Connecticut’s data breach notification law, making Connecticut the first in the nation to affirmatively require entities that experience a reportable data breach to offer free credit monitoring to residents affected by the breach. The legislation further imposes significant new requirements on health insurers, as well as contractors that receive confidential information from state agencies, to maintain minimum data security protections. While health insurers have until 2017 to come into full compliance, the requirements for state contractors are effective as of July 1, 2015.