NAIC Restarts Its Work Revising Its Model Privacy Provisions

Carlton Fields
Contact

Carlton Fields

After a brief hiatus due to COVID-19, the NAIC’s Privacy Working Group returned to work on May 5 discussing comments received on the working group’s markup of the NAIC Insurance Information and Privacy Protection Model Act (Model 670). Like much of the United States, COVID-19 is impacting the work of the Privacy WG as it now will expand its focus to include updating the requirements for health information in Model 670, the Privacy of Consumer Financial and Health Information Regulation (Model 672), and the Health Information Privacy Model Act (Model 55).

The chair of the Privacy WG explained the goals of the Privacy WG in changing the models, including:

  • Aligning the models with current privacy approaches reflected in the European Union’s General Data Protection Regulation and the California Consumer Privacy Act;
  • Updating the models to incorporate new definitions drawn from sources such as the NAIC Market Regulation Handbook or IT Exam Handbook; and
  • Revising the models to reflect the many new sources and ways insurers and their supporting organizations collect and share consumer information.

Based on these overarching goals, subject matter experts within the Privacy WG set forth comments on Model 670, including proposed changes, which, if adopted, would significantly impact insurers, as follows:

  • Broadening application to vendors and others with which insurers share information;
  • Extending protections to cover both natural persons and other legal entities;
  • Creating new consumer rights, such as the right to restrict particular uses and disclosures of information, the right to be forgotten, and special provisions for the information of minors and against discrimination;
  • Increasing consumer access to their information, including transferring the cost of such requests to insurers;
  • Shifting from opt-out to opt-in consent for disclosures of information for marketing purposes, and from mere notice to consent for the collection and use of information;
  • Adding restrictions on the use of data and provisions regarding insurers’ passive collection of information (e.g., tracking cookies and web beacons);
  • Increasing notice requirements, including shortening notification time frames, increasing disclosure specificity, eliminating abbreviated notices and instances in which disclosure can be made without prior authorization, and requiring more frequent notices of information practices;
  • Requiring state regulators to review and approve disclosure authorization forms, and shortening the length of time for which such authorizations are valid;
  • Deleting provisions that permit insurance institutions to delegate their obligations to others; and
  • Increasing accountability for insurers' refusal to correct or delete information and requirements to notify entities with which the insurer has shared later-corrected information, including by revising penalties provisions and drafting a version of the model law that would create a private right of action.

Interested party comments submitted thus far have focused on the importance of remaining consistent with existing privacy laws governing insurers and resisting more onerous requirements that may unnecessarily restrict insurers’ ability to compete against other industries (e.g., technology companies).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Carlton Fields

Written by:

Carlton Fields
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Carlton Fields on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide