Recent action by the National Association of Insurance Commissioners (NAIC) could eliminate the requirement to issue redundant annual privacy notices under certain circumstances, while imposing new and onerous data security and breach notification obligations, as further described below.
Efforts to Streamline GLBA Privacy Notices
As we reported here, the federal Gramm-Leach-Bliley Act (the GLBA) was amended effective December 4, 2015, eliminating the requirement for annual GLBA privacy notices under certain circumstances. The GLBA, however, does not preempt state laws that provide greater protection of consumer privacy rights. Therefore, the GLBA amendments presumably did not override state insurance law requirements for annual privacy notices, which had been promulgated to comply with the requirements of the GLBA as originally enacted, and are now more protective than the amended GLBA requirements.
At the NAIC spring meeting on April 4th, the NAIC Privacy Disclosure (D) Working Group approved a draft bulletin available here, and considered amendments to the Model Privacy of Consumer Financial and Health Information Regulation available here, which would implement the GLBA amendments. Both the draft bulletin and proposed amendments to the model regulation are pending approval by the NAIC and action on the state level. It will be up to individual states to adopt an amended privacy regulation and/or to issue a bulletin following the NAIC’s proposal to allow eligible insurers the relief provided under the GLBA amendments.
Issuance of Preliminary Draft Insurance Data Security Model Law
The NAIC Cybersecurity (EX) Task Force recently released a preliminary working and discussion draft of an Insurance Data Security Model Law available here (the Draft Model Law). While praiseworthy in its effort to provide uniformity for data security and breach notification requirements among the states, at least with respect to the insurance industry, the Draft Model Law clearly needs further development, input and revision, or it may do more harm than good.
The Draft Model Law has received significant industry criticism, including at a Task Force meeting held April 4, 2016, and via a letter submitted by about a dozen trade associations. Criticism of the Draft Model Law includes concern with the fact that the draft would authorize regulations that could vary from state to state, thereby undermining uniformity, and would create a private cause of action. With respect to breach notification, the Draft Model Law includes an onerous five calendar day requirement for notification to the commissioner (which would mean the commissioner of each jurisdiction), and further authorizes each commissioner to review and comment on the draft consumer notification letter prior to issuance and prescribe the level and duration of consumer protection required. At a minimum, the Draft Model Law would require that the breached entity offer and pay for at least 12 months of identity theft protection for affected consumers.