On October 14, the National Association of Insurance Commissioners Cybersecurity Task Force (NAIC Task Force) adopted a version of the Cybersecurity Bill of Rights for insurance consumers. The Bill of Rights claims to outline the rights insurance consumers can expect when insurers, agents and other businesses collect personal consumer information and experience data breaches. It was adopted over objections from industry groups that the document was confusing and misleading. The Bill of Rights will now go before the NAIC’s Executive Committee for ratification, likely in November.

The Cybersecurity Bill of Rights states that insurance policy holders have the right to:

  1. Be informed of the kinds of data held by insurance companies, agents and businesses they contract with (such as marketers and data warehouses).
  2. Expect insurance companies/agents to have a privacy policy posted on their websites and available in hard copy upon request, which must explain the types of personal information collected, the choices consumers have about their data, how consumers can see, edit or delete the data held, how the companies store and protect the data, and a consumer’s recourse if the policy is not properly followed.
  3. Expect the insurer, agent or any business they contract with to reasonably safeguard consumer personal information from being seen, stolen or used.
  4. Be notified by the insurance company, agent or any business they contract with if an unauthorized party sees, steals or uses the personal information (or it seems likely that such an event has occurred). This notification should:
    • Be sent via email (if consent is obtained) or first-class mail,
    • Be sent within 60 days after the data breach is discovered,
    • Describe what information was stolen and what steps the consumer can take to protect himself/herself,
    • Describe what steps the insurance company, agent or business they contract with are taking to safeguard consumer personal information,
    • Include the three nationwide credit bureaus’ contact information, and
    • Include the contact information for the company involved in the data breach.
  5. Have the company or agent involved in the breach pay for one year of identity theft protection.
  6. If consumers’ identities are stolen, they have the right to:
    • Place a 90-day initial fraud alert on their credit reports,
    • Place a seven-year extended fraud alert on their credit reports,
    • Receive free copies of their credit reports,
    • Remove fraudulent information related to the breach from their credit reports,
    • Dispute fraudulent or false information on their credit reports,
    • Block creditors and debt collectors from disclosing fraudulent accounts connected to the data breach,
    • Receive copies of documents relating to the identify theft, and
    • Stop debt collectors from contacting them.

The Cybersecurity Bill of Rights was adopted after regulators, interested parties and consumer representatives expressed comments and concerns about the draft. The biggest issue brought up by industry-interested parties was that the Bill of Rights could appear to provide new protections to consumers and impose new obligations on insurance companies, agents or agencies beyond the rights and obligations afforded by applicable federal and state laws. These parties suggested the name and the content of the document be amended to more clearly characterize the aspirational nature of the Bill of Rights and to clarify that it may differ from existing consumer protections under federal and state laws and rules.  

For instance, the American Council of Life Insurers (ACLI) suggested that a preamble be added “…to avoid confusion, and to clarify the purpose of the Bill of Rights, what it is intended to be and that it does not grant consumers any rights or protections that are not provided under existing federal or state law.” The current version of the Cybersecurity Bill of Rights notes, at the bottom, that “[y]our specific rights may vary based on state and federal law.”

The NAIC’s Executive Committee will likely review the Cybersecurity Bill of Rights for ratification in November. As a follow-up, it is expected that in 2016 the NAIC Task Force will make recommendations to the NAIC’s Executive Committee for incorporating provisions from the Cybersecurity Bill of Rights into various consumer privacy and protection model regulations, including the NAIC Insurance Information and Privacy Protection Model Act (No. 670); the Privacy of Consumer Financial and Health Information Regulation (No. 672); the Standards for Safeguarding Consumer Information Model Regulation (No. 673); and the Insurance Fraud Prevention Model Act (No. 680).