In October 2015, the US’s National Association of Insurance Commissioners[1] (the Association) released its Cybersecurity Bill of Rights.

The consumer friendly Bill of Rights outlines six key consumer protection rights surrounding data collected by their insurers:

  1. The right to know personal information collected by insurers, their agents or businesses with which they contract (including how that information is collected and stored);
  2. The right to access (and, upon request, be provided with a copy of) the insurer’s privacy policy which should provided certain minimum information about the collection, storage, protection and access to customer data as well as the customer’s rights in the event of breach.
  3. The right to reasonable protection of their personal information;
  4. The right to be notified in the event of a data breach, in the terms set out within the Bill;
  5. The right to one year of ‘identity theft protection’ paid for by the insurer/agent involved in the breach;
  6. Various rights in relation to initiating fraud alerts, freezes and the removal of fraudulent or wrong information from credit reports.

Click here for a link to the Bill of Rights.

The Bill of Rights does not necessarily expand the legal remedies available to consumers. However, the obligations imposed on insurers are, in many cases, more stringent than current US State and Federal breach notification laws. Nevertheless, as a guide to the approach and expectations of the individual State regulators, it is likely to place significant pressure on insurers to conduct themselves in accordance with its terms.

It is likely that the US State Insurance Commissioners will look to the Bill for guidance in respect of exercising their functions within the scope of existing State laws and in considering future reform of such laws.

The Bill of Rights is also likely to be considered by insurance regulators in other countries, including ASIC here in Australia. While the Bill of Rights, to an extent, reflects what is currently being done in relation to the collection, storage, protection, communication and access to customer data by Australian insurers in compliance with Australian Privacy Principles, it goes well beyond the current Australian requirements in respect of data breach notification. That is an area which is currently subject to the proposed Privacy Amendment (Notification of Serious Data Breaches) Bill which has been released in recent days for consultation (click here for our update on that draft Bill).

ASIC’s current guidance on cyber security and breach response (click here for our update on ASIC’s Report 429), which is not industry specific, requires companies to develop their own cyber prevention and resilience plans but is not prescriptive as to the content of such plans.

It will be interesting to see whether ASIC looks to develop more prescriptive industry specific guides in the future. Equally industry associations, such the Insurance Council of Australia and the National Insurance Brokers Association might do well to consider developing their own cyber standards by way of amendment to existing Codes.