On August 17, 2016, the Cybersecurity Task Force (Task Force) of the National Association of Insurance Commissioners (NAIC) released for comment a revised draft of an Insurance Data Security Model Law (Model Law). This revised draft Model Law addresses comments received from regulators, industry participants and the public on the initial draft proposed by the Task Force on March 2, 2016. (For more information, see our Legal Update, “NAIC Proposes Cybersecurity Model Law for the Insurance Industry.”) The Model Law, if adopted by the NAIC and enacted by the states in its present form, would establish the “exclusive standards” under state law for data security and investigation and notification of a data breach applicable to “licensees.” The term “licensee” is defined as “any person or entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state.” It would therefore include insurance companies as well as insurance agents and brokers, claims adjusters and administrators.
There is significant continuity between the initial March 2016 draft and the current one. The current draft continues to require licensees to create a “comprehensive written information security program” that details the “administrative, technical, and physical safeguards for the protection of personal information.” Further, as with the initial draft, the current draft requires licensees to contract only with third-party service providers who are “capable of maintaining appropriate safeguards for personal information.” The provisions relating to an investigation of a data breach are also largely similar to the prior draft: When a data breach occurs, the licensee must properly investigate the breach, which includes assessing the nature and scope of the breach, identifying the personal information that may have been involved, determining if the personal information had been acquired without authorization and taking reasonable measures to restore the security of the systems compromised in the breach.
There are, however, some noteworthy differences between the initial March 2016 draft and the current version.
- The current draft is more nuanced on how its provisions would interact with other state data breach notification laws. For example, the revised Section 2 provides that it does not supersede any state statute, regulation, order or interpretation that affords protection to any person that is greater than the protection provided under the Model Law. It also states that the Model Law may not be construed to create or imply a private cause of action for violation of its provisions nor to curtail a private cause of action that would otherwise exist in the absence of the Model Law. This means that certain other provisions of state law, in addition to the Model Law, will still apply, which would seem to undermine the stated goal of the Model Law to establish the “exclusive standards” in the state for data security and investigation and notification of a data breach applicable to licensees.
- The current draft places the onus more squarely on the licensees for oversight of third-party service provider arrangements: “the licensee shall be responsible for any failure by such third-party service providers to protect personal information provided by the licensee to the third-party service providers.”
- The initial draft would have specifically required licensees to use as a guide the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology in designing their information security programs. Now the draft reads that licensees may use “generally accepted cybersecurity principles” for that purpose. Similarly, the initial draft would have required licensees to use an Information Sharing and Analysis Organization to share information and stay updated, but the draft now permits the use of “generally accepted cybersecurity principles” to share information and stay informed regarding emerging threats or vulnerabilities.
- The current draft omits many of the detailed enforcement provisions that were included in the initial draft, such as procedures for the insurance commissioner to hold hearings, judicial review of the commissioner’s decisions and an enumeration of remedies, including monetary penalties and cease and desist orders. Instead, the revised draft cross-references the state’s administrative procedure act regarding the conduct of hearings and judicial review and cross-references the general penalty statute of the state’s insurance code with respect to penalties for violations of the Model Law. These changes may be the result of industry comments pointing out that the deleted provisions were duplicative of, and potentially inconsistent with, existing enforcement provisions of state law.
Comments to the revised draft of the Model Law are due to Sara Robben at firstname.lastname@example.org by close of business on Friday, September 16, 2016. Interested parties may also provide comments at the Task Force’s meeting on Saturday, August 27, 2017, in San Diego at the NAIC Summer 2016 National Meeting. Additionally, there will be a conference call following the September 16 deadline for parties to provide oral comments.
Following the comment period, the Task Force is expected to adopt a revised version of the proposed Model Law and forward it to the NAIC Executive Committee for action. To become an NAIC Model Law, the proposal will need to be approved by a two-thirds majority of the NAIC Executive Committee and Plenary. It would then be up to each state legislature to decide whether to enact the Model Law and whether to modify the Model Law’s text when enacting it.