On October 14, the National Association of Insurance Commissioners (NAIC) Cybersecurity (EX) Task Force released an updated draft of its Cybersecurity Bill of Rights. The bill, which updates a prior draft published for comment in July 2015, details certain rights of insurance consumers in connection with protection of personal information and responses to data breaches by insurers and agents. Specifically, insurance consumers have the right to:

  1. Know the types of personal information collected and stored by insurers, agents or their vendors,
  2. Expect insurers to make their privacy policies available on their website and in hard copy, if requested,
  3. Expect insurers to prevent unauthorized access to personal information,
  4. Receive notice from insurers in the event of a data breach through first class mail or email, sent within 60 days of discovery,
  5. Receive 1 year of identity theft protection paid for by the insurer involved in a data breach,
  6. In the event of identity theft, be aware of the measures available to protect their credit and prevent contact from debt collectors.

This draft scales back some of the protections contained in the July 2015 draft published for comment, which included specific references to consumer protections under the Fair Credit Report Act and HIPAA. While the bill would not have binding effect, there has been concern voiced in the industry about whether the bill implies that consumers have greater rights than provided for under individual state laws. The bill will now go before the NAIC Executive (EX) Committee for approval in November.