The National Association of Insurance Commissioners (“NAIC”) continued its efforts to advance cybersecurity in the insurance industry when it recently adopted the Cybersecurity Bill of Rights. The Cybersecurity Bill of Rights provides a set of directives for insurance companies to follow that are aimed at protecting the data of consumers. The Cybersecurity Bill of Rights updates existing NAIC initiatives being considered by the NAIC’s Cybersecurity (EX) Task Force – a NAIC subgroup formed in November 2014 to monitor developments, proactively engage stakeholders, recommend regulatory protocols, and coordinate activities among NAIC committees to address privacy and data security issues.
The Cybersecurity Bill of Rights vests insurance consumers with the following rights:
- To know the types of personal information collected and stored by an insurance company, agent, or other business that the insurance company contracts with;
- To expect that the insurance company, agent, or other business that the insurance company contracts with takes reasonable steps to secure consumer data;
- To expect to receive written notification of a data breach from an insurance company, agent, or other business that the insurance company contracts, within 60 days of discovery of the data breach;
- To expect at least one year of identity theft protection paid for by the insurance company or agent involved in the data breach; and
- To take steps to protect and minimize any damage to the consumer’s identity, including fraud alerts, credit freezes, obtaining credit reports, and managing fraudulent charges and debt collection efforts.
The Cybersecurity Bill of Rights builds upon a draft advanced by the NAIC’s Cybersecurity (EX) Task Force published for comment in July 2015. The adopted bill removes certain language found in the prior draft, including specific references to the Fair Credit Report Act and HIPAA/HITECH when identifying consumer rights and notification procedures under the bill. The adopted bill also reduced the length of time insurers are advised to provide identity theft protection to consumers in the event of a data breach from a minimum of two years to one year.
In addition, several obligations under the Cybersecurity Bill of Rights are noteworthy because they are as stringent as or more stringent than most state and federal breach notification laws. For example, an insurance company is required to provide one year of identity theft protection whenever a data breach occurs under the bill. Yet only the state of Connecticut imposes a similar obligation, and the requirement is limited to incidents that involve the name and Social Security number of a Connecticut resident. In addition, similar to the breach notification timing requirement under HIPAA/HITECH, an insurance company must provide written notification of a data breach to consumers within 60 days. Only six states have more stringent requirements.
The surge in data breaches of insurers over the past few years has created heightened awareness in the insurance industry of the data privacy and security of consumer information. State insurance regulators have increasingly imposed requirements on insurance companies to notify the state insurance agencies whenever a breach has occurred. The Cybersecurity Bill of Rights is designed to outline certain safeguards that consumers can expect insurance companies to implement to protect their data. And while it is not mandatory for insurers to comply with the Cybersecurity Bill of Rights, nor for states to adopt the bill, state and federal legislators and regulators are likely to look to the rules for guidance in proposing new legislation and as a standard to which insurance companies could be held in decisions on whether to bring enforcement actions.
The NAIC’s Cybersecurity (EX) Task Force’s adoption of the Cybersecurity Bill of Rights represents the first step in the approval process, and the bill will now be considered by the NAIC Executive (EX) Committee/Plenary for approval by the full NAIC membership.