On August 17, the National Association of Insurance Commissioners (the NAIC) Cybersecurity (EX) Task Force (the Task Force) released for comment a revised draft Insurance Data Security Model Law (the Model Law). This Model Law purports to “establish exclusive standards . . . for data security and investigation and notification of a data breach” for “any person or entity licensed, authorized to operate, or registered” pursuant to an enacting state’s insurance laws. When first presented in April, the Model Law generated more than 40 comment letters from trade associations, market participants and regulators. It also was the subject of a spirited discussion at the Spring National Meeting and a two-day interim meeting in which interested parties and regulators discussed issues raised by the Model Law. 

Although the revised draft of the Model Law responds to many issues raised by regulators and interested parties, some key concerns remain unresolved, including:

• The Model Law’s effect on overlapping federal and state laws;
• The timing and content of breach notifications;
• How ongoing compliance obligations to update the information security program documentation should be met; and
• The broad grant of authority to insurance commissioners to order consumer protection measures following a breach.

Interested parties will have an initial opportunity to provide comments on the draft at the Task Force’s meeting on August 27 at the NAIC National Summer Meeting in San Diego and a subsequent meeting not yet scheduled. Written comments to the draft Model Law must be submitted by the close of business on September 16. 

We highlight some key changes:

• Purpose, Intent, Applicability and Scope

The draft Model Law previously sought to preempt all state and federal law addressing “data security or investigation or notification of a breach of data security.” Trade associations and regulators alike questioned whether preemption would be effective and at least one large state indicated it wants the Model Law to set a floor for cybersecurity and breach response practices rather than displacing more stringent requirements under existing law. In response, the Task Force has revised the Model Law to “not be construed as superseding, altering, or affecting any statute, regulation, order or interpretation of law in this state, except to the extent that such statute, regulation, order or interpretation is inconsistent with the provisions of this act and then only to the extent of the inconsistency.” This provision is in tension with the Model Law’s statement that its purpose and intent is to establish exclusive standards for licensees and the exact effect of the Model Law on overlapping standards and requirements under other laws is far from clear. In addition, the Model Law will leave intact the lack of uniformity among states. As a result, this issue could continue to be an area of contention.

• Definition of Consumer Clarified

The definition of “consumer” no longer applies to entities and has been changed to specify that covered individuals include, but are not limited to, applicants, policyholders, insureds, beneficiaries, claimants, certificate holders and “others whose personal information is in a licensee’s possession, custody or control.” As a result, it remains the case that the Model Law applies whenever a licensee has personal information, regardless of whether the licensee is in a contractual relationship with the individual to which the personal information belongs. 

• Appropriateness of and Implementation of Information Security Program

The draft Model Law continues to provide that a licensee’s information security program shall be appropriate to the size and complexity of the licensee. Yet, despite requests from many regulators and interested parties, the draft does not further clarify how this “size and complexity” standard would work in practice. Additionally, the Task Force has added a requirement that “[t]he licensee shall document, on an ongoing basis, compliance with its information security program,” but the Model Law does not specify what constitutes adequate documentation and how often such documentation must be updated.

• Risk Management: NIST Framework Dropped

The draft Model Law no longer requires a licensee to use the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) as a guide when designing its information security program. Trade associations argued that, because cyberthreats and the technology used to combat such threats are continually evolving, it is not appropriate to mandate licensees to use one specific standard. Regulators agreed, noting that removing the reference to the NIST Framework would permit flexibility for future changes that the Task Force may not be able to contemplate now. Thus, the Model Law now requires each licensee to design its information security program based on generally accepted cybersecurity principles.

• Encryption

The definition of “encrypted” has been changed from “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security” to “the transformation of data into a form which results in a low probability of assigning meaning without the use of a protective process or key.” This revision, which was recommended by regulators from Maine and Rhode Island and is based in part on a Massachusetts notification law definition of “encrypted,” is in response to trade association requests for a clearer and simpler definition. For similar reasons, the Task Force revised the encryption security measures that must be in a licensee’s information security program. A licensee was previously required to “encrypt electronic personal information, including while in transit or in storage on networks or systems to which authorized individuals may have access” and now instead must “encrypt all personal information while being transmitted on a public internet network or wirelessly and all personal information stored on a laptop computer or other portable computing or storage device or media.” These revised encryption security measures are based on a Connecticut data security law provision.

• Oversight by Board of Directors

The previous draft of the Model Law required a licensee’s board of directors to approve the licensee’s written information security program and to oversee the development, implementation, and maintenance of the licensee’s information security program. Trade associations argued that these requirements are outside the scope of a board’s role. Although the Task Force removed the requirement that a licensee’s board of directors approve the licensee’s written information security program, it retained the oversight requirement. In addition, the draft Model Law now requires a written annual report from the licensee’s executive management on its security program and compliance with the Model Law (curiously, the Model Law does not specify to whom the report must be provided).

• Oversight of Third-Party Service Provider Arrangements

One of the more unworkable provisions of the initial draft Model Law regarding vendor oversight has been significantly modified. The draft Model Law previously mandated that licensee arrangements with third-party service providers contain certain contractual provisions, such as requiring the third-party service provider to notify the licensee of a breach within three calendar days and to indemnify the licensee in the event of a cybersecurity incident that results in a loss. Trade associations asserted that such requirements were too specific and would place at risk many third-party relationships. In response, the Task Force removed this section and replaced it with a general section that requires licensees to “contract only with third-party service providers that are capable of maintaining appropriate safeguards for personal information” and holds a licensee responsible for any failure by a third-party service provider to protect personal information provided by a licensee to the third-party service provider.

• Consumer Rights Before a Breach of Data

The Task Force removed a section that in the prior draft would have required licensees to provide consumers with information regarding the types of personal information collected and stored by the licensee or any third-party service provider with which it contracts. The section was deemed redundant with the NAIC’s Insurance Information and Privacy Protection Model Law.

• Notification of a Data Breach

The previous draft of the Model Law only required licensees to provide consumer and regulatory notices in connection with data breaches that were “reasonably likely to cause substantial harm or inconvenience to the consumers to whom the information relates.” Consumer groups opposed the “substantial harm or inconvenience” standard. In contrast, trade associations opposed having to provide notices for unauthorized disclosure of certain items of personal information listed in the definition of that term that they did not regard as posing a substantial risk of harm to consumers.¹ It thus appears that the Task Force is taking a compromise position in the revised draft Model Law by removing the “substantial harm or inconvenience” standard and by also not requiring a licensee to provide notice in connection with the information listed in Subsections 3(H)(g)-(j). As such, in the current draft Model Law, a licensee must provide notification of a breach if the licensee determines that an unauthorized acquisition of personal information listed in all of the remaining portions of the definition of “personal information” involved in a data breach has occurred.

Next, although many trade associations argued that the time period in which to notify insurance commissioners of a data breach is too short, and that the detailed disclosures required for the notice would divert the attention and resources of companies dealing with a breach from investigation and remediation efforts, the revised draft Model Law did not substantially change this requirement. Instead, it mandates licensees to notify the commissioner no later than three business days, rather than five calendar days, after determining that a breach had occurred. Also, instead of requiring the licensee to include in such notice detailed information concerning the breach “as is known to the licensee,” the Model Law now requires as much of the information “as possible” in the initial notice and imposes as a continuing obligation to update and supplement the initial and subsequent notices. 

Finally, the draft Model Law continues to require licensees to provide insurance commissioners with a draft of a proposed notification to consumers. Commissioners still have the right to review the notification before it is sent to consumers, despite concerns from trade associations regarding the potential burden that such a requirement imposes. The concern remains that commissioners in all fifty states would have the authority to review and change the proposed breach notice before it is send to consumers in their state.

• Consumer Protections Following a Data Breach

After the previous draft of the Model Law authorized a commissioner to prescribe the “appropriate level of consumer protection” following a data breach and required the licensee to offer to pay for at least twelve months of identity theft protection, consumer groups and trade associations commented that a credit freeze is a better remedy for consumers than identity theft protection. Trade associations also contended that the commissioner’s authority to prescribe the “appropriate level of consumer protection” is too broad and that a credit freeze should be the only remedy. But, although the Task Force did incorporate the credit freeze, the draft Model Law also retains the commissioner’s authority to order identity theft protection and makes clear that a commissioner can “take other action deemed necessary to protect consumers.”

• Private Right of Action

The Task Force has removed the express creation of a private right of action in response to trade association claims that an express private right of action would create more litigation risks while providing minimal protection to consumers. Yet, the Model Law does not curtail a private right of action that may otherwise exist under an enacting state’s laws.

• Enforcement Procedure and Penalties

Certain enforcement procedure sections related to hearings, cease and desist orders, and judicial review were removed and reference is instead made to the enacting state’s administrative procedure act or insurance code applicable to administrative enforcement proceedings for serious violations. Similarly, specific penalties for violations of the Model Law have been removed and reference is now made to the enacting state’s general penalty statute.

¹ More specifically, this personal information is the information listed in Subsections 3(H)(g)-(j):

(g) Information that the consumer provides to a licensee to obtain an insurance product or service used primarily for personal, family, or household purposes from the licensee; 
(h) Information about the consumer resulting from a transaction involving an insurance product or service used primarily for personal, family, or household purposes between a licensee and the consumer; 
(i) Information the licensee obtains about the consumer in connection with providing an insurance product or service used primarily for personal, family, or household purposes to the consumer; or 
(j) A list, description, or other grouping of consumers (and publicly available information pertaining to them), that is derived using the information described in Section 3H(2)(g) through (i), that is not publicly available.