The National Association of Insurance Commissioners’ (NAIC) Cybersecurity Task Force released a revised draft of the Insurance Data Security Model Law (Model Law) last week. The Model Law’s goal is to “establish exclusive standards… for data security and investigation and notification of a data breach” for “any person or entity licensed, authorized to operate, or registered” pursuant to state insurance laws. The first draft Model Law was released in April of this year and received over 40 comments from trade associations, market participants and regulators.
The first draft was started as a compilation of four previously released guidelines, with implementation of specific practices and penalties. The first draft incorporated elements of the Insurance Information and Privacy Protection Model Act and the Privacy of Consumer Financial and Health Information Regulation, and the Principles for Effective Cybersecurity: Insurance Regulatory Guidance and the NAIC Roadmap for Cybersecurity Consumer Protections. With the release of the first draft Model Law came many criticisms. NAIC members expressed concerns about: (1) certain prescriptive security measures that insurance companies were expected to incorporate into their information security programs; (2) the requirement that insurance companies compel third-party service providers to agree by contract to certain data security provisions; (3) the timing, substance, and procedure for notifying consumers of a data breach; and (4) consumer remedies following a data breach, such as regulatory remedies and a private right of action.
Now, after reviewing the comments received in response to the first draft Model Law, the NAIC has released a revised draft after its NAIC National Summer Meeting, where the Task Force met with interested parties to discuss comments on this revised draft. Written comments to the revised Model Law may be submitted by September 16, 2016.
The revised Model Law addresses:
Purpose, Intent, Applicability and Scope: The Model Law originally preempted state and federal laws addressing data security and breach notification but now states that it is “not to be construed as superseding, altering, or affecting any statute, regulation, order or interruption of law in this state, except to the extent that such statute, regulation, order or interpretation is inconsistent with the provisions of this act and then only to the extent of the inconsistency.”
Definition of Consumer Clarified: Includes but not limited to applicants, policyholders, insureds, beneficiaries, claimants, certificate holders and others whose personal information is in a licensee’s possession, custody or control—regardless of whether a contractual relationship exists.
Appropriateness of and Implementation of Information Security Program: Must be appropriate to the size and complexity of the insurance company.
Risk Management: NIST Framework Dropped: The Model Law originally used the National Institute of Standards and Technology’s (NIST) cybersecurity standards; now, removing the reference permits flexibility for insurance companies.
Encryption: Definition changed from “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security” to “the transformation of data into a form which results in a low probability of assigning meaning without the use of a protective process or key.”
Oversight by Board of Directors: Removal of the insurance company’s board of directors to approve the written information security program; however, the board is still responsible for oversight.
Oversight of Third Party Service Provider Arrangements: Removal of highly restrictive requirements on third party service provider agreements to “contract only with third party service providers that are capable of maintaining appropriate safeguards for personal information.”
Consumer Rights Before a Data Breach: Removal of section regarding consumer notice of the types of personal information collected and stored by the insurance company; the NAICs Insurance Information and Privacy Protection Model Law.
Notification of Data Breach: Insurance companies must notify insurance commissioners within three days of a breach; insurance commissioners also have the final say regarding the notification to consumers. A draft must be sent to the insurance commissioners before consumers will receive notice. The definition of breach and personal information were also revised to limit the scope of what constitutes a data breach.
Consumer Protection Following a Data Breach: Retains the requirement that insurance companies offer identity theft protection services and permits the insurance commissioner to “take other action deemed necessary to protect consumers.”
Private Right of Action: Removed the reference to the creation of a private right of action.
Enforcement Procedure and Penalties: Reference to the enacting state’s administrative procedure act or insurance code applicable to administrative enforcement proceedings for serious violations.
This revised Model Law responds to several of the issues raised by commenters but still does not address the effect on overlapping federal and state laws; the timing and content of breach notifications; how insurance companies can comply with obligations under the Model Rule to update their information security program; or the broad authority of insurance commissioners to order consumer protection measures after a data breach. Check out the full revised Model Rule here and make sure to submit your comments before September 16.
This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.