- NAIC Task Force Releases Revised Draft Insurance Data Security Model Law
- August 30, 2016 | Authors: Mark D. Herlach; John S. Pruitt; Stephen E. Roth; Cynthia R. Shoss; Mary Jane Wilson-Bilik
- Law Firms: Sutherland Asbill & Brennan LLP - Washington Office; Sutherland Asbill & Brennan LLP - New York Office; Sutherland Asbill & Brennan LLP - Washington Office; Sutherland Asbill & Brennan LLP - New York Office; Sutherland Asbill & Brennan LLP - Washington Office
On August 17, the National Association of Insurance Commissioners (the NAIC) Cybersecurity (EX) Task Force (the Task Force) released for comment a revised draft Insurance Data Security Model Law (the Model Law). This Model Law purports to “establish exclusive standards . . . for data security and investigation and notification of a data breach” for “any person or entity licensed, authorized to operate, or registered” pursuant to an enacting state’s insurance laws. When first presented in April, the Model Law generated more than 40 comment letters from trade associations, market participants and regulators. It also was the subject of a spirited discussion at the Spring National Meeting and a two-day interim meeting in which interested parties and regulators discussed issues raised by the Model Law.
Although the revised draft of the Model Law responds to many issues raised by regulators and interested parties, some key concerns remain unresolved, including:
- The Model Law’s effect on overlapping federal and state laws;
- The timing and content of breach notifications;
- How ongoing compliance obligations to update the information security program documentation should be met; and
- The broad grant of authority to insurance commissioners to order consumer protection measures following a breach.
We highlight some key changes:
- Purpose, Intent, Applicability and Scope
- Definition of Consumer Clarified
- Appropriateness of and Implementation of Information Security Program
- Risk Management: NIST Framework Dropped
- Oversight by Board of Directors
- Oversight of Third-Party Service Provider Arrangements
- Consumer Rights Before a Breach of Data
- Notification of a Data Breach
Next, although many trade associations argued that the time period in which to notify insurance commissioners of a data breach is too short, and that the detailed disclosures required for the notice would divert the attention and resources of companies dealing with a breach from investigation and remediation efforts, the revised draft Model Law did not substantially change this requirement. Instead, it mandates licensees to notify the commissioner no later than three business days, rather than five calendar days, after determining that a breach had occurred. Also, instead of requiring the licensee to include in such notice detailed information concerning the breach “as is known to the licensee,” the Model Law now requires as much of the information “as possible” in the initial notice and imposes as a continuing obligation to update and supplement the initial and subsequent notices.
Finally, the draft Model Law continues to require licensees to provide insurance commissioners with a draft of a proposed notification to consumers. Commissioners still have the right to review the notification before it is sent to consumers, despite concerns from trade associations regarding the potential burden that such a requirement imposes. The concern remains that commissioners in all fifty states would have the authority to review and change the proposed breach notice before it is send to consumers in their state.
- Consumer Protections Following a Data Breach
- Private Right of Action
- Enforcement Procedure and Penalties
1 More specifically, this personal information is the information listed in Subsections 3(H)(g)-(j):
(g) Information that the consumer provides to a licensee to obtain an insurance product or service used primarily for personal, family, or household purposes from the licensee;
(h) Information about the consumer resulting from a transaction involving an insurance product or service used primarily for personal, family, or household purposes between a licensee and the consumer;
(i) Information the licensee obtains about the consumer in connection with providing an insurance product or service used primarily for personal, family, or household purposes to the consumer; or
(j) A list, description, or other grouping of consumers (and publicly available information pertaining to them), that is derived using the information described in Section 3H(2)(g) through (i), that is not publicly available.