In recent years the related issues of cybersecurity and data systems breach have received an increasing amount of attention from the media, the public, and policymakers. Barely a week goes by where the national news does not report on another major data security breach. In addition to the more than 40 states that already have general data security laws on the books and the increasing attention being paid by federal lawmakers to these issues, in 2015 the NAIC’s Cybersecurity Working Group began the process of developing a new data security model law specifically applicable to the insurance industry that would cover any person or entity licensed under state insurance laws.
The issue itself and the proposed duties and responsibilities that would be included in the draft model act proved to be extremely contentious from the start of the drafting process. As the Working Group moved ahead with drafting the new model, it became clear that industry and regulators did not seen eye to eye on many of the fundamental, threshold issues being addressed in the draft model. These included whether there should be a harm trigger (meaning some element of actual risk of harm to the consumer) before the act’s duties and responsibilities would apply, whether the approach being followed by the Working Group would help or hurt efforts to achieve uniformity among the state laws on this topic, and how broad a range of personal information should fall under the model’s coverage.
The issue is further complicated by the fact that almost every state already has a generally applicable cybersecurity law on its books, raising questions about the need for a data security law specifically dealing with the insurance industry, and the possibility that state attorneys general may not support a cyber law that would result in their giving up data breach jurisdiction over a large and important industry.
The NAIC drafting process continued over the next two years. Finally, just before the NAIC 2017 Summer National Meeting, the Working Group published a sixth (and final) draft of the data security model, which included many of the revisions which had been proposed by industry. At this point, the regulators made clear that they had gone as far as they were willing or able to go in satisfying the industry’s concerns. With no further discussion, this draft was adopted by the Working Group, the Working Group’s parent committee, the Innovation and Technology (EX) Task Force, and the full NAIC membership as a new NAIC model, the Insurance Data Security Model Law. The Model sets out requirements for the protection of data in their possession and for procedures to follow in the event of a cyber breach.
The version finally adopted as the new model law is a vast improvement over earlier drafts; in particular, one of NAIFA’s main concerns—how producer relationships with third party service providers (accounting, IT, payroll managers) are dealt with—was greatly improved. NAIFA believes the NAIC had gone as far as possible in terms of making further improvements to the model; additional revisions will occur, if at all, as state lawmakers consider enacting the model in their own states.
Although the final NAIC model is much improved over earlier versions, it still raises numerous concerns for NAIFA and others within our industry. In light of this, our industry coalition has developed a series of industry-proposed amendments to the NAIC model that would make the model acceptable to industry. In addition, the producer trades have drafted several addition producer-specific suggested amendments that address issues of particular concern to the producer community, including exempting licensees with less than 25 employees from the model’s requirements and the deletion of a provision requiring licensees to supervise their outside vendors’ compliance with the model.
To date, some version of the NAIC model (including some of the industry and producer-proposed amendments) has been adopted in seven states—Michigan Ohio, Mississippi, Alabama, Delaware, Connecticut and New Hampshire; South Carolina has adopted the NAIC model without amendments; New York has adopted a cybersecurity regulation not based on the NAIC model; and the NAIC model has been proposed in Maine and Virginia. We expect several other states to consider the NAIC model when their legislatures are next in session.
NAIFA shares the concerns of regulators and others about the growing threat and impact of data security breaches. We support reasonable requirements and regulations in this area that provide meaningful consumer protections while not being overly burdensome to insurers and producers. Requirements for data security programs and notifications following a breach should be based on the likelihood of actual harm and be appropriate to the size and complexity of the licensee.