On November 18, calling frozen federal legislative efforts “an opportunity” for state insurance regulators to “update state privacy protections … and potentially forestall or mitigate the impacts of any preemptive federal legislation,” the NAIC’s Privacy Protections (D) Working Group lit a fire by issuing an exposure draft of its report on consumer data privacy protections. The draft report, in addition to summarizing existing privacy protections and the Working Group’s discussions, recommends that the NAIC:

1. Further consider ways in which the NAIC’s existing privacy models (models 55, 670, and 672) could be amended, or a new model added, “to meet the consumer data privacy challenges presented by the public use of technology and data by insurers in today’s business environment”; and
2. Update the NAIC’s Market Regulation Handbook and IT Examiners’ Handbook “to provide guidance to state insurance regulators so they can verify insurers’ compliance” with privacy protections.

The Working Group envisions using existing privacy laws as kindling for its fire, relying on laws such as the European Union’s General Data Protection Regulation and recently enacted comprehensive state privacy laws as potential templates for its work. The Working Group will emphasize “data transparency, customer control, customer access, data accuracy, and data ownership and portability.”

The Working Group’s initial draft report culminated in a policy statement describing “what the NAIC currently supports as the minimum consumer data privacy protections that are appropriate for the business of insurance.” And while some of the policy statement’s provisions were industry standard privacy practices, others seemed like rogue sparks. For example, one provision undercut state Fact Act relief efforts by requiring redelivery of a privacy notice at least annually.

In response to comments, the Working Group reconstructed its draft policy statement with a more controlled “Report on Consumer Data Privacy Protections.” The report is “designed to address improvements needed for data privacy protections and to highlight issues needing further discussion.” It removes more controversial provisions and simply summarizes the Working Group’s “recommendations” based on existing NAIC privacy models. These recommendations include providing consumers with:

• A clear privacy notice, including periodic notice of any substantive changes during the relationship;
• Specific reasons for adverse decisions based on data gathered from sources other than the consumer;
• The ability to limit personal information sharing with third parties, “except for specific purposes required or specifically permitted by law”;
• The right to have their health information shared (whether with affiliates or others) only if they provide affirmative opt-in consent for such sharing; and
• The right to request:
  • A copy of their personal information, how that information is used, and the sources from which that information is collected; and
  • Correction, amendment, or deletion of their personal information.

Although the change in tone from the Working Group’s policy statement to its report turned a potential wildfire into a controlled burn, there remains no doubt that this blaze needs close supervision to avoid charring.