NAIC Data Law Runs into Jumble of Opposition

State regulators and insurance industry groups have filed an avalanche of comment letters — 186 pages worth — asking for still more revisions to a proposed regulation governing agent liability in connection with data security.

The model law, the Insurance Data Security Model Law, was proposed by the National Association of Insurance Commissioners, and is on its second discussion-phase draft.

It is designed to offer state legislatures a roadmap for how insurers and distributors ought to proceed in the face of costly and potentially devastating data theft and the subsequent liability incurred by parties deemed responsible.

But a coalition of insurers, distributors and even other state regulators have called on the NAIC to rethink several passages within the draft proposal because it does not go far enough in pre-empting a patchwork of state laws governing data theft.

Trade groups have also taken issue with proposed notification procedures, definitions of what constitutes “personal information,” whether the model law is workable, procedures regarding post-breach investigations and harm thresholds.

Model laws drafted by the NAIC, which lacks enforcement powers, are not binding but serve as a guide for state insurance regulators and state lawmakers.

The first draft of the Insurance Data Security Model Law was issued in March and the second draft in August.

NAIC-level discussion around the data security model law is a sign that top-level leaders are beginning to take data breaches seriously. States like New York are also beginning to move aggressively with a modern data security framework.

Indeed, the NAIC’s draft appears to place a heavier onus on insurance licensees for the oversight of third-party service provider arrangements than state laws, said James R. Woods, co-leader of Mayer Brown’s Global Insurance Industry Group in New York.

NAIC commissioners began to address data breach issues in earnest last fall with the release of its Cybersecurity Bill of Rights. The document, while lacking any legal authority, gives policyholders some recourse when their data have been compromised.

With the introduction of the model law in March, the NAIC signaled to the industry that it is ready to undertake the heavy lifting in connection with a new data security framework.

The public comment period on the Insurance Data Security Model Law draft ended last month and NAIC officials are expected to discuss the model law once more at their fall national meeting in Miami, Dec. 10-13.

Industry Groups Want Sole Applicable Law

In a letter to North Dakota Insurance Commissioner Adam Hamm, chair of the NAIC Cybersecurity Task Force, representatives for 14 life, property and health insurers and distributors said they want the model law to be the “sole data security and breach notification law applicable in a state.”

The comments, co-signed by representatives of 14 trade organizations, urge the NAIC to modify the draft of the model law.

Changes are necessary to ensure uniformity among state data security and breach notification rules, and to ensure “workability” of the model law, the representatives wrote.

Industry representatives also see the Insurance Data Security Model Law draft as imposing strict liability on insurance licensees — an agent or advisor for example — for any failure by a third-party such as a data vendor or a custodian firm. For instance, if they fail to protect personal information provided by an insurance agent or financial advisor.

Such “potentially open-ended liability” isn’t something that insurance and financial advisors can accept, wrote Gary A. Sanders, counsel and vice president of government relations with the National Association of Insurance and Financial Advisors.

Furthermore, leaving out the “harm trigger,” or the threshold at which a data loss causes harm, “raises significant ‘workability’ concerns,” and may be neither practical in “real world applications,” nor of much help to consumers, Sanders wrote.

Agents and brokers are already subject to data breach requirements and 47 states have enacted data breach investigation and notification laws, wrote Wesley Bissett, senior counsel for Government Affairs with the Independent Insurance Agents & Brokers of America.

Regulators Raise Their Voices

State regulators who often clash with industry positions on regulation appeared to join the industry in this case citing costs, regulatory burdens on small agencies and the general legislative environment opposed to more rules.

In Georgia, the model law is already dead.

“Legislators and interested parties have expressed their dissatisfaction with the proposed model as it exists today,” wrote Sarah U. Crittenden, an attorney with the Legal Division of the Georgia Department of Insurance.

Arkansas Attorney General Leslie Rutledge likened the model law to the sweep of the Health Insurance Portability and Accountability Act’s data security and breach requirements by simply transposing them onto the rest of the insurance industry.

“Some members of the insurance industry, such as small-town independent agents, are too small to absorb the costs inherent in the model’s requirements,” said Rutledge in a two-page comment.

While the model law’s security program is designed to be tailored to the size and complexity of individual licensees, “all licensees regardless of size will have to undergo a risk analysis and have a written security program,” she wrote.

Arkansas’ breach notification law contains a harm threshold, which if not met does not require agents or insurers to notify consumers. In Arkansas, a premium invoice sent by an agent to the wrong address by mistake, for example, does not meet the threshold.

Under the NAIC’s proposed model law, a misdirected invoice would trigger the threshold and require notice requirements, Rutledge said.

Patrick M. McPharlin, director of the Michigan Department of Insurance and Financial Services, also called on the NAIC to back off the strict liability assigned to insurance licensees under the draft of the data security model law.

Making agents responsible or liable for security outside their control is simply unfair.

“It is unreasonable to make licensees strictly liable for third parties, irrespective of the standards of care they undertake in safeguarding the data,” he wrote.

InsuranceNewsNet Senior Writer Cyril Tuohy has covered the financial services industry for more than 15 years. Cyril may be reached at [email protected].

© Entire contents copyright 2016 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.

Cyril Tuohy is a writer based in Pennsylvania. He has covered the financial services industry for more than 15 years. He can be reached at [email protected].