On July 27, 2015, the Cybersecurity Task Force (Cybersecurity Task Force) of the National Association of Insurance Commissioners (NAIC) released a draft cybersecurity “Bill of Rights” suggesting certain rights for insurance consumers to have their personal information protected by insurance companies, insurance producers and other entities regulated by state insurance departments. Comments on the draft were due by close of business on August 10, 2015 and a final version could be adopted during the NAIC’s upcoming National Meeting in Chicago in mid-August 2015. The Cybersecurity Bill of Rights is one of several insurance regulatory measures designed to safeguard personal information of insurance consumers, which is particularly vulnerable in data breaches because it often contains social security numbers, financial information, addresses and sensitive medical information. Cybersecurity has become an even higher priority among insurance regulators since the Anthem, Inc. data breach and the NAIC formed the Cybersecurity Task Force to coordinate regulatory efforts in this area.
Adoption of the Bill of Rights by the NAIC would not have binding legal impact on any state. Nonetheless, it will likely influence state regulators and legislators in expanding insurance consumer protections and requiring that additional steps be taken by insurance companies and producers to protect data and mitigate breaches. The summary below refers to the specified “rights” as though they were potentially binding.
Another initiative, focused more on prevention of data breaches, was the adoption by the NAIC last month of Principles for Effective Cybersecurity Insurance Regulatory Guidance (Cybersecurity Principles). The Cybersecurity Principles are twelve principles outlining the safeguards that insurance companies are expected to have in place in order to protect consumers from cybersecurity breaches. Among other things, the Cybersecurity Principles require that cybersecurity regulatory guidance for insurance companies be “flexible, scalable, practical and consistent with nationally recognized efforts” such as those embodied in the National Institute of Standards and Technology (NIST) framework. The original draft of the Cybersecurity Principles required encryption of sensitive data collected and stored, and transferred inside or outside of an insurance company/producer’s network. However, after discussing the mechanics of encryption, the final version of the Cybersecurity Principles as adopted was revised to more broadly require that data be “appropriately safeguarded” rather than encrypted.