On October 14, 2015, the Cybersecurity Task Force (Cybersecurity Task Force) of the National Association of Insurance Commissioners (NAIC) adopted a cybersecurity “Bill of Rights” that proposes certain rights for insurance consumers relating to the protection of their personal information by insurance companies, insurance producers and other entities regulated by state insurance departments. The Bill of Rights also outlines specific notices, information and actions that consumers should expect from such entities, particularly in the event of a data breach. This Bill of Rights, if adopted by NAIC’s Executive/Plenary Committees, could ultimately be incorporated in NAIC Model Acts and Regulations, and could be adopted by insurance companies on their own initiative.
The cybersecurity Bill of Rights is one of several insurance regulatory measures designed to ensure the safeguarding of personal information of insurance consumers. This information is particularly sensitive because it often contains social security numbers, financial information, and medical information. In light of this sensitive nature and the increase in high profile data breaches, the NAIC formed the Cybersecurity Task Force in January 2015 to monitor cybersecurity developments and make recommendations to the NAIC concerning security of such information. The Task Force’s activities took on a sense of urgency when, one month later, the widely-publicized Anthem, Inc. data breach occurred. In June 2015, the NAIC adopted the Task Force’s Principles for Effective Cybersecurity Insurance Regulatory Guidance (“Cybersecurity Principles”) setting forth 12 cybersecurity principles to guide the regulation of cybersecurity by insurance departments. In late July 2015, the Task Force published its first draft of the cybersecurity Bill of Rights.
In our August, 2015 post, we discussed the first draft of the Bill of Rights and questioned the extent to which it could have a binding legal impact on the states, each of which regulates insurance pursuant to laws that often vary by state. In both substance and form, the first draft of the Bill of Rights suggested that insurance consumers are legally entitled to certain notices, information and actions related to data and data breaches. However, in many states, such rights are presently either partly or entirely absent from the applicable insurance laws. In essence, the Cybersecurity Task Force presented a Bill of Rights to consumers that did not accurately state those consumers’ current legal rights.
The Cybersecurity Task Force recognized this problem, and its second draft included a statement to the effect that a consumer’s specific rights may vary based on state and federal law. Still, for many interested parties, the revised draft did not go far enough to alert consumers that the Bill of Rights is an “aspirational” document (as the Cybersecurity Task Force described it) that merely outlines rights that states should adopt — and does not create or codify any law.
In this vein, some commentators urged the Cybersecurity Task Force to include a preamble stating that the Bill of Rights is a general summary provided for informational purposes only, and that a consumer’s specific rights are based on and subject to state and federal law. While the Cybersecurity Task Force declined to include a preamble along these lines, it announced on October 14, 2015 that it would seek to amend certain NAIC Model Acts and Regulations (“Model Laws”) to align them with the Bill of Rights. State legislators and regulators could then consider adopting the amended Model Laws, and if adopted, the amended laws and regulations would then give legal effect to the Bill of Rights. The Model Laws to be considered for amendment include:
- Insurance and Privacy Protection Model Act (#670);
- Privacy of Consumer Financial and Health Information Regulation (#672);
- Standards for Safeguarding Consumer Information Model Regulation (#673); and
- Insurance Fraud Prevention Model Act (#680).
The Bill of Rights is not yet an official NAIC document, as it must still be adopted by the Cybersecurity Task Force’s parent committees, the NAIC’s Executive/Plenary Committees. Given the important questions about the legal import of the Bill of Rights, it is possible that such committees will require further revisions.
Insurance companies considering adopting the Bill of Rights on their own initiative in the interim should reflect upon the possibility that in doing so they could be viewed by state insurance regulators as having made a binding obligation that could be enforced under authority of unfair and deceptive trade practice requirements.
Additionally, consumers would have the right to:
- expect their insurance company, agent or any business they contract with to take “reasonable steps” to keep unauthorized persons from seeing, stealing or using personal information;
- receive notice from the consumer’s insurance company, agent or any business they contract with if a data breach has occurred;
- receive at least one year of identity theft protection paid for the by the insurer or agent involved in a data breach (a prior draft provided two years of protection); and
- certain actions and remedies with respect to consumers’ credit reports as a result of a data breach.
For more information about the unique nature of cybersecurity in the insurance context, please see our March 17, 2015 Sidley Update, “Increasing Scrutiny of Insurance Companies’ Cybersecurity Preparedness.”