As previously reported here, the NAIC Cybersecurity Task Force proposed a “Cybersecurity Bill of Rights” (the “BOR”), which purported to state consumers’ rights related to information security. In the face of industry criticism of the draft BOR, including comment letters by the ACLI, NAMIC, the PIA, the Big I and many others, in its conference call on December 17, the NAIC Executive (EX) Committee and Plenary adopted the proposal with two revisions, renaming it a “Roadmap for Cybersecurity Consumer Protections,” and including an important preface, presumably intended to address concerns about inconsistencies between the BOR as initially proposed and existing legal and regulatory requirements. The preface states:

This document describes the protections the NAIC believes consumers are entitled to from insurance companies, agents and other businesses when they collect, maintain and use your personal information, including what should happen . . . in a data breach. Not all of these consumer protections are currently provided for under state law. This document functions as a Consumer Bill of Rights and will be incorporated into NAIC model laws and regulations....