On March 2, 2016, the National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force proposed a new model law intended to “establish the exclusive standards for data security and investigation and notification of a breach of data security” in the insurance industry.
The model law requires licensed insurers and producers to:
- Develop, implement and maintain an information security program to ensure confidentiality of personal information, and protect against anticipated threats to and unauthorized access of such information.
- Provide for board of directors oversight of the information security program (if applicable) and annual reporting to the board of directors regarding the data security program.
- Include provisions in all third-party service provider contracts regarding (a) third-party safeguards, (b) post-breach notification, (c) post-loss indemnification, (d) cyber-security audits, and (e) representations and warranties regarding compliance.
- Investigate a suspected data breach and take steps to restore the security and confidentiality of compromised systems.
- Provide notice of a data breach to (a) the appropriate Federal and state law enforcement agency, (b) the insurance commissioner, (c) consumers, and (4) consumer reporting agencies.
- Implement protections for consumers after a data breach as prescribed by the commissioner but not less than twelve months of identity theft protection for affected consumers paid for by the insurer/producer.
The model law gives the insurance commissioner the power to (1) conduct examinations and investigations of licensed insurers/producers, and (2) hold hearings in the event of a suspected violation of the requirements listed above. If the insurance commissioner finds that no violation has occurred, the insurance commissioner will serve his or her written findings on the insurer/producer and any other persons whose rights were allegedly violated. On the other hand, if the commissioner determines that the insurer/producer has committed a violation, the insurance commissioner will serve his or her written findings on the insurer/producer along with an order to cease and desist the violating conduct.
In addition to a cease and desist order, the insurance commissioner has the authority to order payment of monetary penalties. The model law provides for suggested penalties of up to $500 per violation (subject to a maximum of $10,000). If the insurer/producer violates the commissioner’s cease and desist order, the insurance commissioner, in his or her discretion, can impose further penalties. The model law provides for suggested penalties of up to $10,000 per violation (subject to a maximum of $50,000).
The insurance commissioner’s order and/or report is subject to judicial review upon the petition of the insurer/producer. The number of days for filing a petition was not specified in the current draft of the model law.
Importantly, the model law also provides that remedies may be directly available to aggrieved consumers. Within two years from the date of the alleged violation (or the time when the violation should have been discovered), consumers can bring private actions seeking equitable relief for alleged violations of their consumer rights. Consumers may recover costs and attorneys’ fees if they prevail in their action against the insurer/producer.
The NAIC’s model law also provides for extensive regulation of licensed insurers and producers (including important safeguards for third-party contracts), as well as specific mechanisms by which regulators can enforce compliance. It also states that “no other provision of state or federal law or regulation regarding data security or investigation or notification of a breach of data security shall apply to licensees subject to [its] provisions.”
At this point, the model law is in draft form. The period for public comment will end on March 23, 2016.
This model law follows NAIC’s Principles for Effective Cybersecurity Insurance Regulatory Guidance adopted in April 2015 and the NAIC Roadmap for Cybersecurity Consumer Protections adopted in December 2015.