On March 2, 2016, the National Association of Insurance Commissioners’ (NAIC) Cybersecurity Task Force proposed a comprehensive Model Law that is intended “to establish the exclusive standards for data security and investigation and notification of a breach of data security” for licensed insurance companies. The proposed Model Law would apply to all insurers, producers “and other persons licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered pursuant to the Insurance Law” of the state that adopts the Model Law.
Comments on the proposed model law are due by March 23. After receiving comments from regulators, industry participants and the public, the Cybersecurity Task Force is expected to adopt a revised version of the Model Law and forward it to the NAIC Executive Committee for action. In order to become an NAIC Model Law, the proposal will need to be approved by a two-thirds majority of the NAIC Executive Committee and Plenary. It would then be up to each state legislature to decide whether to enact the Model Law and also whether to make any modifications to the text of the Model Law if and when it is enacted.
The NAIC has been active in the cybersecurity space, including adopting the Principles for Effective Cybersecurity Insurance in April 2015. (For more information, see our legal update, “Roadmap for Cybersecurity Consumer Protections.”) The Model Law represents another effort to provide comprehensive guidance and uniformity on cybersecurity matters within the insurance industry.
Implementation of a Written Information Security Program
The Model Law would require insurance licensees to create a comprehensive written information security program (WISP) that details the “administrative, technical, and physical safeguards” a licensee has in place “for the protection of personal information.” The WISP should take into account the particular characteristics of the licensee, including the nature and scope of the licensee’s activities, and the sensitivity of the consumer information the licensee seeks to protect. As part of the WISP, the licensee shall designate employees who can engage in risk assessment: these employees should identify potential threats, the damage from these threats and the capacity of the safeguards to control these threats. The Model Law encourages licensees to use the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST) as a guide when developing the WISP.
Oversight of the Board of Directors
The Model Law requires a licensee’s board of directors to approve the WISP and oversee its implementation. The licensee is required to report to its board at least annually to explain the overall status of the WISP and the licensee’s compliance with the Model Law. The licensee shall also explain risk assessment and management, as well as the results of testing, details from security breaches and any management responses.
Oversight of Third-Party Services Providers
Recognizing that third-party service providers also affect a licensee’s security safeguards, the Model Law directs the licensees to “select and retain third-party service providers that are capable of maintaining appropriate safeguards for the personal information at issue” and require, by contract, these third-party service providers to, among other things, “implement and maintain appropriate safeguards for the personal information at issue” (including those described above under “Implementation of a Written Information Security Program”) and “allow licensee or its agents to perform cybersecurity audits.”
Consumer Rights Before a Breach
Investigation of a Breach
When a data breach does occur, the licensee must properly investigate the breach, which includes assessing the nature and scope of the breach, identifying the personal information that may have been involved, determining if the personal information had been acquired without authorization and taking reasonable measures to restore the security and confidentiality of the systems compromised in the breach.
Notification of a Breach
The licensee must also notify various parties of the data breach without unreasonable delay. It must notify the appropriate law enforcement agencies, the insurance commissioner, any relevant payment card networks, consumer reporting agencies (only under certain circumstances) and all consumers to whom the personal information relates. The licensee must notify the Commissioner within five calendar days of discovering a breach and within 45 days of identifying a breach. The licensee must provide the insurance commissioner with a draft of the proposed written communication to be sent to consumers.
Consumer Protections Following a Breach
Turning to consumer protection after a breach, the Model Law requires licensees to notify, without unreasonable delay, all affected consumers involved in a data security breach within sixty (60) days of identifying the breach. The definition of personal information is very broad and includes health and biometric information of a consumer. Notification is not required if the personal information is encrypted or the breach is not reasonably likely to cause substantial harm or inconvenience (e.g., identity theft or fraudulent transactions on financial accounts) to the consumers. Licensees must also offer to pay for at least 12 months of identity theft protection for affected consumers.
Powers of the Commissioner
The insurance commissioner has various powers in examining and investigating the affairs of a licensee to determine whether the licensee has been or is engaged in any conduct in violation of the Model Law. For example, when the commissioner has reason to believe that a licensee has engaged in conduct which violates the Model law, the commissioner may hold a hearing to explore the charges. If, after a hearing, the commissioner determines that the licensee has engaged in conduct in violation of the Model Law, the commissioner may order the licensee to cease and desist from such conduct.
The Model Law also places emphasis on confidentiality, stating that any information in the control or possession of a department of insurance furnished by a licensee shall be confidential and is not subject to laws, such as open records or freedom of information laws, or a subpoena, thereby protecting the confidentiality and privileged nature of consumer information.
The Model Law provides that where a hearing results in a finding that the licensee violated the Model Law, the commissioner has the power to not only issue a cease and desist order, but also order a monetary penalty. The current draft of the Model Law suggests a $500 penalty for each violation, with the aggregate number not to exceed $10,000. If a licensee violates a cease and desist order, the commissioner may impose a penalty of $10,000 for each violation and suspend or revoke the licensee’s license. The commissioner may impose a penalty of $50,000 if violations have occurred with such frequency as to constitute general business practice.
Comments on the proposed Model Law are solicited and should be sent to Sara Robben at Srobben@naic.org by the close of business on Wednesday, March 23, 2016.