For over 100 years, the National Association of Insurance Commissioners (NAIC) has been developing model legislation to encourage uniformity among states for the regulation of insurance products.  The NAIC model laws and guidelines are proposed statements of insurance regulation for all 50 states as well as the other jurisdictions (such as D.C. and Guam).  Once passed, states can choose to adhere to the NAIC’s model laws fully, with modifications, or not at all.  If a state chooses to adopt the model law, its adoption will apply to all insurance carriers, managing general agents, agencies, and producers operating in that state. 

Introduction of Insurance Consumer Privacy Protection Model Law #674.

In the last decade, there have been several major data breaches involving large companies that have exposed and compromised the sensitive personal information of millions of consumers across the United States.  Following these record-shattering data breaches, there has been a major push for increased transparency and regulation in the insurance industry regarding consumer data privacy.  With an increase in consumer data collection, the threat of ransomware attacks opens companies up to potential litigation or regulatory action if not handled properly.

In an effort to address some of these issues, the NAIC released Insurance Consumer Privacy Protection Model Law #674 (Model #674) in early 2023.  The purpose of Model #674 is to regulate insurance business or other business regulated by state insurance departments (i.e., “licensees”) by establishing:

(i) standards for the collection, processing, retaining, or sharing of consumers’ personal information by licensees and their third-party service providers to maintain a balance between the need for information by those in the business of insurance and consumers’ need for fairness and protection in the use collection, processing, retaining, or sharing of consumers’ personal information;

(ii) standards for licensees engaged in additional activities involving the collection, processing, retaining, or sharing consumers’ personal information; and

(iii) standards applicable to licensees for providing notice to consumers of the collection, processing, retention, or sharing of consumers’ personal and publicly information.

Model #674 stands to replace both current privacy-related NAIC model laws that are now decades old – the Insurance Information and Privacy Protection Model Act #670 (adopted nearly 40 years ago and enacted by 17 states) and the Privacy of Consumer Financial and Health Information Regulation #672 (adopted over 20 years ago and enacted in 43 states).

In issuing Model #674, the NAIC’s Privacy Protection Working Group (PPWG) attempts to address several issues that were seen in previous models, including:

• Enhancing transparency in terms of how a consumer’s data is collected, processed, shared, and retained.
• Addressing the issue of data minimization and broad sharing limitations.
• Requiring consumer consent before personal information is shared with other entities, or entities outside the U.S. where there may not be conforming privacy protections protecting the information.
• Definitively prohibiting insurers from selling consumer’s personal information.
• Ensuring that consumers had the right to have his or her personal information amended or corrected, unless an insurer can show good cause for refusal to make said amendment or correction.
• Adding a record retention requirement rather than a “right to be forgotten” provision as has become common in recent state consumer data protection laws. This is due to the industry’s generally longer timeframe required to maintain consumer information. However, the model imposes a requirement on insurers to delete consumer data within a set period after it is no longer required by the insurer.
• Ensuring that oversight of third-party service providers remains primarily the responsibility of the licensed insurer.
• Ensuring the existence of safe harbor provisions for entities that comply with the Health Insurance Portability and Accountability Act (HIPAA).

What this means for Insurers.

Model #674 demonstrates that the NAIC is continuing to reevaluate its historical approach to privacy compliance requirements and is taking an ever-stricter approach consistent with the broader regulatory community.  What remains to be seen is how Model #674, as adopted by states, will affect insurers’ compliance obligations vis-à-vis the patchwork of state data compliance laws and regulations that have recently been adopted or are currently under consideration.

Further, it will be interesting to see whether Model #674 will serve to define the standard of care that insurance businesses owe their customers with regard to data privacy issues, regardless of whether the model law is adopted by all states across the nation.

Status of Model #674 Publication.

Though Model #674 was anticipated to be published in the fall of 2023, its final adoption date was pushed back to sometime in 2024 after multiple states publicly announced that they will not support the current proposed Version 1.2.  A full text of the most recent Version 1.2 can be found here.