Cybersecurity

The Issue: Does the National Association of Insurance Commissioners’ efforts to develop a data security model law for the insurance industry strike the appropriate balance between the need to protect consumers rights and not disrupting the normal business operations of insurance licensees?
 
Background: In recent years the related issues of cybersecurity and data breach have received an increasing amount of attention from the media, the public, and policymakers. Barely a week goes by where the national news does not report on another major breach of data security. In addition to more than 40 states that already have general data security laws on the books and the increasing attention being paid by federal lawmakers to these issues, the NAIC formed the Cybersecurity Working Group to develop a new data security model law that would be specifically applicable to the insurance industry and that would cover any person or entity licensed under state insurance laws.
 
The initial drafting efforts by the working group would have set up a two-pronged system that would require licensees to set up data security and protection programs that met certain requirements. It also spelled out notification and other requirements in the event a licensee suffered a data security breach. This issue and the proposed duties and responsibilities included in the draft model act have been extremely contentious from the start of the drafting process. Industry and regulators have not seen eye to eye on many of the fundamental, threshold issues being addressed in the draft model, including whether there should be a harm trigger (meaning some element of actual risk of harm to the consumer) before the act’s duties and responsibilities would apply, whether the approach being followed by the working group would help or hurt efforts to achieve uniformity among the state laws on this topic, and how broad a range of personal information should fall under the model’s coverage.
 
The issue is further complicated by the fact that almost every state already has a generally applicable cybersecurity law on the books, raising questions about the need for a data security law specifically dealing with the insurance industry, and the possibility that state attorneys general may not support a cyber law that will result in them giving up data breach jurisdiction in their states over a large and important industry. While some progress was made in narrowing down the industry/regulator differences as the working group moved ahead and developed second and third drafts of the model, many areas of fundamental disagreement remained.
 
Current Status: Following the NAIC’s Spring National meeting in April, 2017, the Working Group released a fourth draft of the model. This latest draft presented a fundamental and positive shift away from the approach taken in the previous drafts. The primary focus of the draft model is now on the requirements for licensees’ data security programs, and this current draft has stripped away many of the troublesome breach notification requirements found in prior drafts. The general consensus of the industry is that while numerous concerns remain, this fourth draft represents a significant improvement over previous drafts.
 
The working group is currently reviewing comments received on the fourth draft and hopes to release a fifth draft for comment prior to the NAIC Summer National Meeting scheduled for early August, 2017. The chair of the working group is hopeful the fifth draft will be more in the nature of tweaks rather than major revisions, and his goal is to have the working group vote on the model before the summer NAIC meeting.
 
NAIFA Position: NAIFA shares the concerns of regulators and others about the growing threat and impact of data security breaches. We support reasonable requirements and regulations in this area that provide meaningful consumer protections while not being overly burdensome to insurers and producers. Requirements for data security programs and notifications following a breach should be based on the possibility of actual harm and be appropriate to the size and complexity of the licensee.