From: Bloomberg/BNA
By Daniel Vinish and Ellen Farrell
As companies have increasingly moved to electronic storage media and as the vulnerability of that media has become more apparent, Congress and state legislatures have enacted numerous laws to help protect the privacy and security of confidential and personal consumer information. All states and the District of Columbia have now enacted laws specific to the insurance sector’s use of confidential and personal consumer information. While these laws are largely based upon the National Association of Insurance Commissioners’ (“NAIC”) Model Acts released in 1982, 1992, and 2002, states’ insurance-specific laws vary in their treatment of consumer information and insurance companies often find themselves bound by other generally applicable state and federal laws as well.
At this point, the insurance-specific state laws arguably do not comprehensively address the obligations of insurance companies to ensure the privacy and security of consumer information. The NAIC has been working toward a solution to this issue since at least 2014, when the NAIC Executive Committee appointed a Cybersecurity Task Force (the “Task Force”) “to serve as the central focus for insurance regulatory activities related to cyber security.”1 In April 2015, the Task Force adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance (the “Cybersecurity Principles”) in order to set forth the NAIC’s expectations for how insurance regulators and insurance companies alike will effectively protect the insurance sector’s data security and infrastructure. Thereafter, in December 2015, the Task Force presented a Roadmap for Cybersecurity Consumer Protections (the “Cybersecurity Roadmap”) (later adopted by the NAIC’s Executive Committee and Plenary), which established a proposed “Consumer Bill of Rights” with respect to how insurance companies will secure and ensure the privacy of non-public consumer information. Neither the Cybersecurity Principles nor the Cybersecurity Roadmap, however, impose enforceable obligations on companies in the insurance sector.
Leave a Reply