The National Association of Insurance Commissioners’ (NAIC) Cybersecurity Task Force released a revised draft of the Insurance Data Security Model Law (Model Law) last week. The Model Law’s goal is to “establish exclusive standards… for data security and investigation and notification of a data breach” for “any person or entity licensed, authorized to operate, or registered” pursuant to state insurance laws. The Model Law was first released in April of this year and received over 40 comments from trade associations, market participants and regulators. This week, at the NAIC National Summer Meeting, the Task Force met with interested parties to discuss comments on this new draft and written comments to the Model Law may be submitted by September 16, 2016.
The revised Model Law addresses:
Purpose, Intent, Applicability and Scope: The Model Law originally preempted state and federal laws addressing data security and breach notification but now states that it is “not to be construed as superseding, altering, or affecting any statute, regulation, order or interruption of law in this state, except to the extent that such statute, regulation, order or interpretation is inconsistent with the provisions of this act and then only to the extent of the inconsistency.”
Definition of Consumer Clarified: Includes but not limited to applicants, policyholders, insureds, beneficiaries, claimants, certificate holders and others whose personal information is in a licensee’s possession, custody or control—regardless of whether a contractual relationship exists.
Appropriateness of and Implementation of Information Security Program: Must be appropriate to the size and complexity of the insurance company.
Risk Management: NIST Framework Dropped: The Model Law originally used the National Institute of Standards and Technology’s (NIST) cybersecurity standards; now, removing the reference permits flexibility for insurance companies.
Encryption: Definition changed from “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security” to “the transformation of data into a form which results in a low probability of assigning meaning without the use of a protective process or key.”
Oversight by Board of Directors: Removal of the insurance company’s board of directors to approve the written information security program; however, the board is still responsible for oversight.
Oversight of Third Party Service Provider Arrangements: Removal of highly restrictive requirements on third party service provider agreements to “contract only with third party service providers that are capable of maintaining appropriate safeguards for personal information.”
Consumer Rights Before a Data Breach: Removal of section regarding consumer notice of the types of personal information collected and stored by the insurance company; the NAICs Insurance Information and Privacy Protection Model Law.
Notification of Data Breach: Insurance companies must notify insurance commissioners within three days of a breach; insurance commissioners also have the final say regarding the notification to consumers. A draft must be sent to the insurance commissioners before consumers will receive notice. The definition of breach and personal information were also revised to limit the scope of what constitutes a data breach.
Consumer Protection Following a Data Breach: Retains the requirement that insurance companies offer identity theft protection services and permits the insurance commissioner to “take other action deemed necessary to protect consumers.”
Private Right of Action: Removed the reference to the creation of a private right of action.
Enforcement Procedure and Penalties: Reference to the enacting state’s administrative procedure act or insurance code applicable to administrative enforcement proceedings for serious violations.
This new revised Model Law responds to several of the issues raised by commenters but still does not address the effect on overlapping federal and state laws; the timing and content of breach notifications; how insurance companies can comply with obligations under the Model Rule to update their information security program; or the broad authority of insurance commissioners to order consumer protection measures after a data breach. Check out the full revised Model Rule here and make sure to submit your comments before September 16.
This post is also being shared on our Property Insurance Coverage Insights blog. If you’re interested in getting updates on developments affecting insurance coverage, we invite you to subscribe to the blog.