On October 14, the National Association of Insurance Commissioners (NAIC) announced its cybersecurity “bill of rights” which outlines six rights of insurance consumers. Generally speaking, the bill of rights is divided into three broad categories: (1) standard consumer information, (2) insurer safeguards and actions and (3) post-breach and identity theft protections. Although most states have data breach laws, the proposed rights exceed what many states require. Given the current differences in state laws governing how insurance companies must protect consumers’ data, this new bill of rights may spur additional privacy legislation and greater uniformity among state laws.
First, the bill of rights states that consumers have the right to know the information that is collected and stored by insurance companies, their agents or businesses contracting with these insurance companies. Insurance consumers also have the right to expect that privacy policies be made available on the insurers’ websites and upon request. Second, the bill of rights provides that insurance companies must take reasonable steps to protect consumers’ personal information. Third, the bill of rights sets out specific notice requirements in the event of a data breach. If a breach occurs, insurance consumers have the right to at least one year of identity theft protection paid for by the company or agent involved in the data breach. Additionally, an insurance consumer whose identity is stolen has a right to, among other things, put a 90-day initial fraud alert on his or her credit report, put a credit freeze on his or her credit report, and obtain copies of documents related to the identity theft.
The NAIC is a non-governmental organization comprised of the chief insurance regulators from all fifty states, the District of Columbia and the five U.S. territories, which establishes standards and best practices for the insurance industry. Thus, this bill of rights serves as guidance for the regulation of insurance companies, which occurs at the state level. The NAIC typically creates model laws and regulations, which the regulators in each state can then decide to adopt (in full or in modified form). Indeed, the NAIC’s press release heralding the bill of rights states that it is “intended to help update” model laws considered by the NAIC’s cybersecurity task force. The cybersecurity bill of rights is still a few steps away from being enforceable. Creating an enforceable standard would require (a) the adoption of a model act with the protections outlined in the bill of rights and the subsequent adoption by individual states, or (b) adoption of separate legislation by individual states which is consistent with the bill of rights.
For further detail, the NAIC cybersecurity bill of rights is available here. This action follows the Principles for Effective Cybersecurity Insurance Regulatory Guidance, adopted by the NAIC in April of this year and discussed in an earlier post.