The National Association of Insurance Commissioners (NAIC) Cybersecurity (EX) Task Force has received significant industry comments regarding its revised draft Insurance Data Security Model Law issued August 17, 2016 (the “Proposed Model Law”). While the revised draft addresses certain concerns voiced by the industry, some comments submitted to the NAIC regarding the revised draft raise significant concerns about key issues such as uniformity and overlapping regulation, onerous breach notification obligations, and the Proposed Model Law’s overly broad definition of “personal information.”
While the initial draft of the Proposed Model Law would have set “exclusive standards” for data security and breach notification in states adopting the model as drafted, the revised draft complicates this goal, stating that the Proposed Model Law is not to be construed to supersede or alter existing law, except to the extent it is inconsistent. Industry comments stressed the importance of a single, exclusive state law, as uniform among the states as possible, to simplify the existing patchwork of such requirements currently applicable to insurance carriers, producers and others. To this end, certain groups have also recommended that entities subject to HIPAA be excluded from the Proposed Model Law.
A change heavily criticized by the insurance industry removes the harm trigger from the Proposed Model Law’s breach notification requirement, thus expanding notification obligations which industry commentators argue are already overly broad, as the definition of “personal information” under the Proposed Model Law potentially extends beyond data elements that could be used for identity theft, and beyond definitions of the term under existing breach notification requirements.
The revised draft of the Proposed Model Law would further shorten the initial draft’s extremely tight deadline for notification to state insurance departments. Under the revised draft, notices containing a great deal of information must be provided to the state insurance commissioner within three business days after determining that a breach has occurred – a significantly shorter deadline than those imposed by existing law.
Industry comments also noted approval of a number of the changes made in the revised draft, including elimination of the private cause of action, and removal of privacy notice requirements viewed as confusing and contradictory. In addition, the revised draft clarifies that the Proposed Model Law does not set a single standard for data security programs for all insurance department licensees, but instead, requires that each licensee’s data protection protocols should correspond to the size, complexity and nature of its operations, as well as the sensitivity of the personal information that it collects.
The NAIC has expressed intentions to finalize the Proposed Model Law by the end of the year. Meanwhile, the Texas Department of Insurance issued Commissioner’s Bulletin # B-0022-16 of September 15, 2016, which imposes additional requirements for reporting of cybersecurity incidents, and further complicates the existing patchwork of multi-layer state breach notification requirements to which insurers are currently subject.