The document notes, “This Cybersecurity Bill of Rights describes what you can expect from insurance companies,” but “Your specific rights may vary based on state and federal law.” This clause, added in response to legitimate concerns that the rights declared could conflict with existing state and federal provisions, makes the Bill of Rights more an aspirational and informational document than a legal one. In addition, adoption by the NAIC Cybersecurity Task Force is just the first step in the review process. The full membership must still discuss and approve the Bill of Rights before they update any existing model laws to conform to it.
When compared with the more onerous requirements of states and insurance entities that have taken a proactive approach to the regulation of data breaches and protection of personal information, the Task Force’s Cybersecurity Bill of Rights does little to expand the options available to consumers. However, if the Bill of Rights is approved by the full membership and incorporated into the relevant model laws with no further modifications, it will create increased pressure to update state laws that fall short of these rights.
Considering the concerns expressed during the drafting of the document by the American Council of Life Insurers, the American Insurance Association, and many other industry voices (summarized by the NAIC here), the Bill of Rights likely expresses the direction the NAIC is heading, but is not a concrete statement of the updates it will incorporate into its model laws.
The first right provides insurance consumers with the right to “Know the types of personal information collected and stored by your insurance company, agent or any business they contract with (such as marketers and data warehouses).”
This right reflects the legal requirements of two significant federal laws. Under the Gramm-Leach-Bliley Act, insurance companies must explain their information-sharing policies to consumers. Likewise, under the Fair Credit Reporting Act, which protects information collected by consumer reporting agencies and medical information companies, information in a consumer report cannot be disclosed to any entity that does not have a specific purpose under the Act. For example, if an insurer uses a consumer’s credit report to determine whether, or how, to issue a policy, they cannot pass that information on to any entity that does not “intend to use the information in connection with the underwriting of insurance involving the consumer.” Likewise, once finished using the report, the insurer must dispose of it so that it cannot be reconstructed (by burning, pulverizing, or securely deleting).
Though the first right does not necessarily expand upon Gramm-Leach-Bliley or the Fair Credit Reporting Act, it will result in more consumers caring about what kinds of personal information insurance entities require — and worrying about how that information is being used.
The third right provides consumers with the right to expect any insurance company, agent, or company they contract with to “take reasonable steps to keep unauthorized persons from seeing, stealing, or using [their] personal information.”
Determining what is “reasonable” in the context of an ever-evolving technological threat is challenging. The most instructive document to explain what the NAIC considers “reasonable” is its Standards for Safeguarding Customer Information Model Regulation. That document establishes general guidelines for “developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.”
The fourth right provides consumers with the right to appropriate notice in the event of a data breach. Notice requirements vary significantly from state to state, creating complexities whenever an insurer subject to multiple states’ requirements experiences a breach. The Task Force attempts to simplify this process by establishing a uniform standard for triggering notice. Consumers have a right to “get notice” from any insurance entity they contract with if “an unauthorized person has (or it seems likely they have) seen, stolen, or used [the consumer’s] personal information.”
Many states require companies to notify state agencies and consumers when personal information is compromised. For example, Florida’s Information Protection Act of 2014 requires that companies experiencing a data breach provide notice to each individual whose information was, or reasonably could have been, compromised as a result of the breach, unless it is not likely that the breach will result in financial harm.
The 2014 Florida law is, in some ways, more onerous than the NAIC rights outlined above. For instance, the Florida law requires that notice be sent within thirty days of determination that a breach occurred. The Task Force’s provisions on notice are below, with a comparison to Florida’s parallel provisions.
The fifth right provides consumers with the right to “at least one (1) year of identity theft protection paid for by the company or agent involved in a data breach.” This right may be the most burdensome for insurance entities in the case of a data breach.
Currently, only two states — Connecticut and California — require one year of protection after a breach occurs. However, some companies already choose to provide more than one year. For example, following a January 2015 breach, Anthem contracted with AllClear ID to offer a $1 million identity theft insurance policy and two years of identity theft repair and credit monitoring services.
Though this right goes beyond what most state laws require, it is clear that NAIC proposals are not the only form of pressure to provide greater protection that insurance entities feel. Rather, market reputation and customer retention have already motivated companies in the insurance sector, and beyond, to provide extensive options to assist consumers after a breach.
The sixth right provides consumers with the right to prevent further damage to their credit history in case their identity is stolen. This right does not stipulate any duties for insurers; rather, it merely lists options that consumers already have available to limit damage in the event of a breach. These options include contacting consumer-reporting agencies and instituting holds, alerts, or freezes, as follows:
Whether or not these rights are ratified and incorporated into the NAIC’s model laws in their current form, the Bill of Rights succeeds in consolidating numerous state and federal provisions into an easy-to-understand consumer policy. This will expand consumer awareness of, and demand for, the information protection services that insurance entities are increasingly expected to provide.
Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our clients and our colleagues. If you have any questions about this update or would like to discuss this topic further, please contact your Foley attorney or the following:
Kevin G. Fitzgerald
Joseph J. Silverstein
Foley & Lardner LLP Legal News is intended to provide information (not advice) about important new legislation or legal developments. The great number of legal developments does not permit the issuing of an update for each one, nor does it allow the issuing of a follow-up on all subsequent developments.