On December 17, the National Association of Insurance Commissioners (NAIC) adopted a Roadmap for Cybersecurity Consumer Protections.
Except for a new name and new introduction, the Cybersecurity Roadmap is identical to the Cybersecurity Bill of Rights that was adopted by the NAIC Cybersecurity Task Force in October. The Bill of Rights was adopted over objections from industry groups that the document was confusing and misleading. Critics have argued that the purported “rights” in the document go beyond and, in some cases conflict with, the actual legal obligations of insurers and agents under federal and state law (for example, state privacy laws and the Fair Credit Reporting Act). Others have noted that state insurance regulators do not have authority to regulate many of the entities (e.g., third-party vendors and service providers) that the document purports to regulate.
The rebranded “Roadmap” does little to address these industry concerns, other than to note in the newly inserted introduction that some of its consumer protections are not currently provided under state law. That statement, in turn, is countered by a parallel statement that the Roadmap functions as a Consumer Bill of Rights. It also notes that the consumer protections outlined in the Cybersecurity Roadmap will be incorporated into NAIC model laws and regulations. Commissioner Adam Hamm (North Dakota), chair of the NAIC Cybersecurity Task Force, has stated that this document is intended to serve as a starting point on a single model law that addresses these consumer protections (as opposed to amending several existing model laws).
The specific consumer rights outlined in the Roadmap and industry objections are described in a prior Sutherland Legal Alert on the Cybersecurity Bill of Rights. To recap, it states that insurance policyholders have the right to:
- Be informed of the kinds of data held by insurance companies, agents and businesses they contract with (such as marketers and data warehouses).
- Expect the insurer, agent or any business they contract with to reasonably safeguard consumer personal information from being seen, stolen or used.
- Be notified by the insurance company, agent or any business they contract with if an unauthorized party sees, steals or uses the personal information (or it seems likely that such an event has occurred). This notification should:
- Be sent via email (if consent is obtained) or first-class mail,
- Be sent within 60 days after the data breach is discovered,
- Describe what information was stolen and what steps the consumer can take to protect himself/herself,
- Describe what steps the insurance company, agent or business they contract with are taking to safeguard consumer personal information,
- Include the three nationwide credit bureaus’ contact information, and
- Include the contact information for the company involved in the data breach.
- Have the company or agent involved in the breach pay for one year of identity theft protection.
- If consumers’ identities are stolen, they have the right to:
- Place a 90-day initial fraud alert on their credit reports,
- Place a seven-year extended fraud alert on their credit reports,
- Place a credit freeze on their credit reports,
- Receive free copies of their credit reports,
- Remove fraudulent information related to the breach from their credit reports,
- Dispute fraudulent or false information on their credit reports,
- Block creditors and debt collectors from disclosing fraudulent accounts connected to the data breach,
- Receive copies of documents relating to the identify theft, and
- Stop debt collectors from contacting them.
Consumers are also directed to contact their state insurance department if they have questions about data security, a notice they receive about a data breach, or other issues concerning their personal information in an insurance transaction.