On October 15, 2015, the U.S. National Association of Insurance Commissioners (“NAIC”) released the Cybersecurity Bill of Rights (the “Bill”). The Bill, released during cybersecurity awareness month, is intended to improve consumer protection and to assist with updating model laws.  It may, in practice, potentially expand protections to consumers and obligations of insurance companies and agencies beyond those provided in current state and federal laws.

Background

The NAIC’s Cybersecurity Task Force (“Task Force”) was formed in November 2014 to assist the NAIC to address cybersecurity issues in the insurance industry. As acknowledged by NAIC President Monica J. Lindeen, “Cybersecurity is one of the biggest challenges facing businesses today and this is one of our association’s key priorities.”

The Bill was created in part to help update model laws considered by the Task Force, but the key focus of the project was aimed at improving protection for consumers. NAIC Cybersecurity Task Force Chair Adam Hamm noted:

Consumers have a right to expect their personal, financial and health information entrusted to the insurance industry is secure. They also deserve to know when a breach occurs so they can safeguard themselves against identity theft or other types of fraud. This Bill of Rights is designed to assist consumers when sensitive information is breached.

The release of the Bill is in addition to the April 2015 release of the Principles for Effective Cybersecurity Insurance Regulatory Guidance, as discussed in a previous post here.

The Bill

The wording of the Bill itself is short, simple, and succinct; the implications are far more substantial. In a statement of six key rights of consumers, the Bill creates an expectation of notice of breach within 60 days of occurrence and a right to a free year of credit monitoring in the event of a breach.

The Bill includes the right to:

  1. Know the types of information collected and stored by an insurance company, as well as any agent or business they contract with (including marketers and data warehouses);
  2. Expect insurance companies and agencies to have a privacy policy posted on their website (and available in hard copy, upon request) detailing the personal information they collect, the choices consumers have about their data, how the consumer can view and modify that data if necessary, how data is stored and protected, and the recourse available to a consumer if the insurance company or agency does not comply with its privacy policy;
  3. Expect the insurance company, agent, or any business they contract with to take reasonable steps to prevent unauthorized persons from seeing, stealing, or using personal information;
  4. Receive notice in writing from the insurance company, agent, or any business they contract with if a data breach has occurred (or, if it seems likely that such a breach has occurred) within 60 days after a breach is discovered, which should describe the type of information involved, how individuals can protect themselves from identity theft or fraud, actions being taken to protect information and contact information for the three nationwide credit bureaus and for the company or agent;
  5. Receive one year, at minimum, of identity theft protection, at the cost of the company or agent involved in the data breach.

In addition to the specific rights above, the final section of the Bill sets out specific rights in respect of credit reporting a consumer has in the case of identity theft, including the right to put a 90-day initial fraud alert and seven year extended fraud alert on credit reports, to require the removal of fraudulent information from credit reports and to stop creditors and debt collectors from reporting fraudulent accounts related to the breach.

The Bill contains links to information about the protections in particular states and notes that specific rights may vary based on state and federal law.

Implications

The Bill was created to be consumer-friendly and written in plain language to convey to the public what to expect in the event of a data breach. The U.S. insurance industry has expressed concerns that the Bill may potentially expand both the protections to consumers and the obligations of insurance companies beyond those afforded by applicable law. A key issue is that the Bill hasn’t been adequately described as the ambitious document that it is. Suggestions for improvement from key industry groups, such as the American Council of Life Insurers, the U.S. National Association of Health Underwriters, and the U.S. National Association of Insurance and Financial Advisors, among others, include the addition of language to clarify the purpose of the document, reduce potential confusion and emphasize that rights may vary by jurisdiction.