NAIC Adopts Roadmap for Cybersecurity Consumer Protections

On December 17, the National Association of Insurance Commissioners (NAIC) adopted a Roadmap for Cybersecurity Consumer Protections.

Except for a new name and new introduction, the Cybersecurity Roadmap is identical to the Cybersecurity Bill of Rights that was adopted by the NAIC Cybersecurity Task Force in October. The Bill of Rights was adopted over objections from industry groups that the document was confusing and misleading. Critics have argued that the purported “rights” in the document go beyond and, in some cases conflict with, the actual legal obligations of insurers and agents under federal and state law (for example, state privacy laws and the Fair Credit Reporting Act). Others have noted that state insurance regulators do not have authority to regulate many of the entities (e.g., third-party vendors and service providers) that the document purports to regulate.

The rebranded “Roadmap” does little to address these industry concerns, other than to note in the newly inserted introduction that some of its consumer protections are not currently provided under state law. That statement, in turn, is countered by a parallel statement that the Roadmap functions as a Consumer Bill of Rights. It also notes that the consumer protections outlined in the Cybersecurity Roadmap will be incorporated into NAIC model laws and regulations. Commissioner Adam Hamm (North Dakota), chair of the NAIC Cybersecurity Task Force, has stated that this document is intended to serve as a starting point on a single model law that addresses these consumer protections (as opposed to amending several existing model laws).

The specific consumer rights outlined in the Roadmap and industry objections are described in a prior Sutherland Legal Alert on the Cybersecurity Bill of Rights. To recap, it states that insurance policyholders have the right to:

  1. Be informed of the kinds of data held by insurance companies, agents and businesses they contract with (such as marketers and data warehouses).
  2. Expect insurance companies/agents to have a privacy policy posted on their websites and available in hard copy upon request, which must explain the types of personal information collected, the choices consumers have about their data, how consumers can see, edit or delete the data held, how the companies store and protect the data, and a consumer’s recourse if the policy is not properly followed.
  3. Expect the insurer, agent or any business they contract with to reasonably safeguard consumer personal information from being seen, stolen or used.
  4. Be notified by the insurance company, agent or any business they contract with if an unauthorized party sees, steals or uses the personal information (or it seems likely that such an event has occurred). This notification should:
    • Be sent via email (if consent is obtained) or first-class mail,
    • Be sent within 60 days after the data breach is discovered,
    • Describe what information was stolen and what steps the consumer can take to protect himself/herself,
    • Describe what steps the insurance company, agent or business they contract with are taking to safeguard consumer personal information,
    • Include the three nationwide credit bureaus’ contact information, and
    • Include the contact information for the company involved in the data breach.
  5. Have the company or agent involved in the breach pay for one year of identity theft protection.
  6. If consumers’ identities are stolen, they have the right to:
    • Place a 90-day initial fraud alert on their credit reports,
    • Place a seven-year extended fraud alert on their credit reports,
    • Place a credit freeze on their credit reports,
    • Receive free copies of their credit reports,
    • Remove fraudulent information related to the breach from their credit reports,
    • Dispute fraudulent or false information on their credit reports,
    • Block creditors and debt collectors from disclosing fraudulent accounts connected to the data breach,
    • Receive copies of documents relating to the identify theft, and
    • Stop debt collectors from contacting them.

Consumers are also directed to contact their state insurance department if they have questions about data security, a notice they receive about a data breach, or other issues concerning their personal information in an insurance transaction.

This is expected to be an area of focus for the NAIC in 2016 and will be an issue that we continue to monitor.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Eversheds Sutherland (US) LLP | Attorney Advertising

Written by:

Eversheds Sutherland (US) LLP

Eversheds Sutherland (US) LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.