On May 24 and 25, the National Association of Insurance Commissioners (the NAIC) Cybersecurity (EX) Task Force (the Task Force) hosted a meeting in which state insurance commissioners and interested parties were invited to provide comments to and voice concerns about the current draft of the Insurance Data Security Model Law (the Model Law). This Model Law is designed to “establish exclusive standards for data security and investigation and notification of a breach of data security” for “all licensed insurers, producers, and other persons” licensed, authorized, or registered pursuant to an enacting state’s insurance laws (collectively, Licensees). The Model Law was exposed for comment before the Spring National Meeting in April and generated more than 25 comment letters from trade associations, market participants and regulators. The purpose of the two-day meeting was to allow a lengthier discussion of issues raised by the Model Law than was possible during the April meeting. 

Key areas of contention during the meeting included the following:

  • Information Security Program

Proposal. The current draft of the Model Law requires Licensees to implement a comprehensive written information security program that contains administrative, technical, and physical safeguards to protect information. Such an information security program would require, inter alia, that a Licensee: (1) conduct risk assessments; (2) manage risks by using the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework) as a guide; (3) implement certain prescriptive security measures; (4) oversee third-party service provider arrangements; and (5) have its board of directors oversee the program. The appropriate scale and scope of a Licensee’s information security program is based on the size and complexity of the Licensee, the nature and scope of the Licensee’s activities, and the sensitivity of the information.

Areas of contention. Industry representatives argued that information security program provisions were overly burdensome or infeasible. For instance, industry representatives opposed the prescriptive security measures as being at odds with the requirement that a Licensee’s information security program be based on the size and complexity of the Licensee. Further, they contended that mandating the NIST Framework as a guide was short-sighted in light of potentially more appropriate future cybersecurity standards. Additionally, these representatives asserted that the Model Law currently imposes duties on the board of directors that are more appropriately duties of executives, such as overseeing the development, implementation, and maintenance of the information security program. Finally, industry representatives challenged numerous requirements in connection with third-party service providers as impracticable, particularly the mandate that Licensees compel third-party service providers to agree by contract to indemnify the Licensee in the event of a cybersecurity incident.

  • Consumer Rights Before a Breach of Data Security. 

Proposal. Under the current draft of the Model Law, a Licensee must inform consumers about the types of personal information it collects and stores, regardless of whether a data security breach has occurred. It must also post on its website a privacy policy that includes information about: (1) the options consumers have with respect to their data; (2) how consumers can review and change or correct their data if necessary; (3) how the data is stored and protected; and (4) the course of action consumers can take if the Licensee does not follow its privacy policy. 

Area of contention. Industry representatives claimed that these pre-breach information requirements were duplicative, conflicting with privacy notice requirements under the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act. 

  • Notification of a Breach of Data Security. 

Proposal. If a Licensee determines that a breach of data security is reasonably likely to cause harm or inconvenience to the consumers to whom the information relates, then the current draft of the Model Law requires the Licensee to notify all such consumers without unreasonable delay and no later than sixty days after identifying the data breach. Licensees must also inform insurance commissioners from each jurisdiction in which affected consumers are located within five days after identifying the data breach. Moreover, insurance commissioners may edit a Licensee’s proposed notice before it is sent to consumers. 

Area of contention. With respect to these breach notifications, industry representatives challenged the timing, substance, and regulatory procedure, specifically that Licensees have only 60 days to notify all affected consumers, that insurance commissioners have the right to revise the notices before they are sent to consumers, and that insurance commissioners must be notified of all breaches, regardless of whether a Licensee determines that the breach is reasonably likely to cause substantial harm or inconvenience to consumers.

  • Consumer Protections and Rights Following a Breach of Data Security. 

Proposal. Following a data breach, the current draft of the Model Law authorizes state insurance commissioners to prescribe the appropriate level of consumer protection, and the Licensee must, at a minimum, offer to pay for at least 12 months of identity theft protection for consumers affected by a data breach. In addition, any person whose rights have been violated under the Model Law has a private right of action. 

Area of Contention. Both industry and consumer representatives asserted that the 12-month identity theft protection was misguided, and instead proposed that credit freeze protections would better serve consumers. Industry representatives also contended that the Model Law as currently drafted gives insurance commissioners too much discretion to prescribe consumer protections. Further, industry representatives requested the removal of the private right of action, with some representatives suggesting that the inclusion of such a private right of action would force many Licensees to oppose the Model Law.

The Task Force allowed follow-up comments to this draft of the Model Law to be submitted by June 3. Task Force Chair Adam Hamm of North Dakota has indicated that the NAIC intends to finalize this Model Law in 2016, so that it can be considered by state legislatures in 2017. Chair Hamm has also expressed an interest in making this Model Law an NAIC accreditation standard.