The National Association of Insurance Commissioners’ (NAIC) Executive Committee and Plenary has approved the NAIC Roadmap for Cybersecurity Consumer Protections (the “Roadmap”), formerly the Cybersecurity Bill of Rights. The Roadmap “describes the protections the NAIC believes consumers are entitled to from insurance companies, agents and other businesses when they collect, maintain and use” personal information. It provides, among other rights, that insurance consumers have the right to:
- Expect insurance companies, agents and any businesses they contract with to take reasonable steps to keep unauthorized persons from seeing, stealing or using their personal information;
- Receive a notice if an unauthorized person has (or it seems likely they have) seen, stolen or used their personal information; and
- Get at least one year of identity theft protection paid for by the company or agent involved in a data breach.
The Roadmap did not pass without objections. Some interested parties expressed concern that state legislatures will be reluctant to enact a sector-specific law, and others emphasized the need for a more deliberative policy development process. The Independent Insurance Agents & Brokers of America expressed concern that insurance agents would be required by law to provide affected consumers with one year of identity theft protection following a data breach. The organization argued that identify theft protection is of low value to a consumer when his/her personal information has been stolen and that consumers can obtain such protection on their own, often at no cost to them.
Currently, the Roadmap is not binding on states, but supporters hope that it will ultimately lead to a single model law during 2016. They appreciate the NAIC’s effort to adopt a single model law rather than attempt to shape multiple regulations. As 2016 begins, insurance companies and agents should remain alert to developments in this area of consumer protection.