In 2017, the National Association of Insurance Commissioners (NAIC) is expected to adopt a new model law governing the protection of consumer personal information by insurers and other organizations that operate under state insurance laws. If adopted by state legislatures, the model law would impose significant new obligations on insurers, agents, brokers, and their service providers, including affirmative duties to
- maintain and implement a comprehensive written information security program;
- oversee third party service providers who receive or access consumer personal information;
- notify state insurance commissioners within three business days, and affected consumers within sixty calendar days, of determining that a data breach has occurred; and
- if deemed appropriate by a state insurance commissioner, offer to pay for consumer protection services for consumers affected by a data breach.
Originally proposed in March 2016, the model law has been through two draft and comment cycles.
Exclusivity, uniformity, and preemption. Version 2 states that its purpose is to establish “exclusive standards” for the industry in the areas of data security and data breach investigation and notification. It also provides, however, that the law does not supersede other state statutes, regulations, orders or interpretations of law except to the extent inconsistent with the model law. It further provides that statutes, regulations, orders and interpretations of law that provide greater protection for a consumer are not considered to be inconsistent. Version 2 also does not include exemptions or safe harbors for entities subject to existing data security and breach notification requirements under HIPAA/HITECH or the Gramm-Leach-Bliley Act.
Definition of “data breach.” Version 2’s definition of “data breach” covers any unauthorized acquisition, release or use of unencrypted personal information. The definition does not include a “harm trigger,” nor does it exclude good faith acquisition or use by employees or other similar low-risk disclosures.
Definition of personal information. Version 2’s definition of “personal information” subject to the law’s breach notification requirements covers a number of data elements commonly covered by existing state or federal data breach notification laws. The definition also extends, however, to new or less common categories of information. These include consumer names in combination with: (a) the consumer’s date of birth; or (b) any information of the consumer that the organization has a “legal or contractual duty to protect.”
Applicability and scalability of information security program requirements. Version 2 imposes an obligation to develop, implement and maintain a comprehensive, written information security program. The program is to be commensurate with the organization’s size and complexity, the nature and scope of its activities, and the sensitivity of the personal information it handles. Even so, Version 2 includes certain prescriptive requirements that are to be implemented “based on generally accepted cybersecurity principles.”
Oversight of third-party service providers. Version 2 requires organizations to “contract only with third party service providers that are capable of maintaining appropriate safeguards” for consumer personal information. It also makes the organization responsible for those service providers’ failure to protect personal information as required under the model law. In the event a third-party service provider suffers a data breach, the organization remains responsible for complying with law’s the notification obligations.
According to a report that followed the NAIC’s fall meeting in December 2016, these issues will be the focus of ongoing discussion and drafting efforts by the NAIC’s Cybersecurity Task Force, which is expected to publish a third and final draft for consideration and possible approval by the organization in 2017. Gloria Gonzalez, NAIC Cyber Security Model Law to be Released in 2017, Business Insurance (Dec. 12, 2016).