The Cybersecurity Task Force of the National Association of Insurance Commissioners (the “NAIC”) met last month, as part of on the NAIC’s 2015 Summer National Meeting in Chicago. The Task Force focused on two issues:  the recent massive data breach suffered by Anthem, Inc., and a draft “Consumer Cybersecurity Bill of Rights” that was released for public comment in late July.

The Anthem Breach

Anthem’s general counsel reported that the FBI has completed its investigation of the breach and concluded that an advanced, persistent threat, sponsored by a nation state, was responsible for the attack. The FBI believes Anthem’s data was stolen for intelligence purposes, and not for use in a financial fraud. The FBI has been monitoring the dark web, and it has found none of the stolen data sold or dumped there.

Anthem, meanwhile, has engaged in extensive remediation efforts. In 2015, Anthem reportedly spent $65 million upgrading security, and it plans to spend another $65 million going forward. The money spent so far has gone to improvements in employee training, to enhanced authentication procedures, to implementation of passwords that expire every day, and to the retention of 55 experts who work on systems and defenses upgrades. Anthem’s general counsel expressed frustration that, even after spending all these resources enhancing its systems, Anthem has been told that it is still not immune from attack. The company is also frustrated by the absence of benchmarks by which to measure its efforts; because the company is operating in uncharted territory, there is no way to know for sure that its extensive efforts are not insufficient or superfluous.

Anthem’s customers have accepted free cyber insurance protection at an average rate of approximately 4%. Anthem itself was covered under a tower of cyber insurance at the time of the breach; it has made a claim, and the first-tier carrier reportedly has paid the claim. Anthem is now looking to collect from tiers two through four. In the wake of the breach, however, renewal of its coverage appears to be cost-prohibitive. Thus, Anthem has self-insured for the first $100 million of risk and obtained supplemental coverage from third-party carriers.

An NAIC multistate market conduct examination into the Anthem breach  has been completed, and a draft report completed. Indiana is the lead state on the MCE, joined by Maine, New Hampshire, North Dakota, Missouri and South Carolina.

The “Cybersecurity Bill of Rights”

The Cybersecurity Task Force also held a discussion, led by Commissioner Adam Hamm of North Dakota, on the exposure draft of the Cybersecurity Bill of Rights. According to the NAIC, this document “is intended to set standards for helping consumers if their personal information is compromised.”  It declares, among other things, that an insurance consumer “generally [has] the right” to know what personally identifiable information an insurer is collecting and how long that information will be stored; receive prompt notice of any compromise of that information—with the form and timing of the notice dependent on the type of information involved; and to be advised about both the insurer’s remedial measures and the rights of victims of data breach.

The initial comment period for the draft document closed on August 10, 2015, but the deadline was extended until August 31. The Task Force plans to hold a follow-up call in early September to discuss the comments it has received and the next steps it should pursue. At the August meeting, consumer advocate Birny Birnbaum asked whether the Bill of Rights is intended to educate consumers or serve as a guide for insurers; one of the regulators on the Task Force responded, “all of the above.”   The regulator further stated that, once adopted by the Task Force and the NAIC membership, the Bill of Rights will be distributed to the states, and individual insurance commissioners can decide whether and by what means it should be disseminated and employed.

The Task Force further reported that a portion of the Cybersecurity Bill of Rights will be incorporated into the NAIC’s Model Law #670 (NAIC Insurance Information and Privacy Protection Model Act) and Model Regulation #672 (Privacy of Consumer Financial and Health Information Regulation).