‘Patchwork’ Of Data Security Laws Would Hurt Industry: ACLI

It might be on the back burner at the moment due to the COVID-19 pandemic, but cybersecurity regulation has not gone away.

The potential for disparate regulations governing the collection and use of data remains a strong possibility, and one the industry would like to avoid. One outlier law is the California Consumer Protection Act, which took effect Jan. 1 and is viewed as a problematic regulation by many insurers.

"Changes are occurring all the time and we're seeing a lot more companies come into the space and they're using personal information," said Kate Kiernan, vice president and deputy of policy development for the American Council of Life Insurers. "That, of course, is driving some of the sensitivities and policymakers see that we have some need for additional regulations."

Kiernan is moderating a panel discussion today on cybersecurity and privacy at the ACLI Annual Conference.

The California Way

According to the California bill, any company that collects, shares or sells the information of more than 50,000 people and generated revenue of more than $25 million in the preceding year, has to comply with the new law.

Furthermore, companies don’t have to be based in California to fall under the rules, they simply have to do business in the state.

The California law gives consumers the right to know what personal information companies collect from them, and what businesses do with it — whether they share, transfer or sell it, and who is the recipient of the information. Under a key provision, companies must give consumers the option to have their information deleted from databases.

The law covers a wide range of data including names, addresses, Social Security and passport numbers, email addresses, internet browsing histories, purchasing histories, personal property and health information, professional or employment information, educational records and information from GPS apps and programs.

"Our companies have, I think, adjusted well to the California Consumer Privacy Act," Kiernan said. "The problem with California is that that law has been tremendously unstable. It was crafted kind of under the dark of night, and then it had a number of changes."

Californians will vote on another, equally controversial, ballot initiative next month. Proposition 24 would allow consumers to tell businesses to limit the use of sensitive personal information, such as their exact location, health information and race. And it would triple the fine companies face if they violate children’s privacy rights, and create a new state agency to enforce the privacy law.

'We Think That's Bad'

The National Association of Insurance Commissioners tried to get ahead of the cybersecurity issue with its 2017 Data Security Model Law. To date, about a dozen states have adopted the law, which is modeled after a New York cybersecurity law.

Most significantly, the model requires that all licensees develop, implement and maintain a comprehensive Information Security Program (ISP). This effort is to be based on an individual risk assessment that is commensurate with the licensee’s size and complexity, the nature and scope of its activities, and the sensitivity of the nonpublic information used or in the licensee’s possession, custody or control.

What has ACLI and the industry most concerned is the evolution of a "patchwork" of different laws and cybersecurity requirements across the country, Kiernan explained.

"We think that's bad for consumers and for companies," she said. "We really are pushing for a uniform federal law that applies to all companies. We want to make that consumers' data is protected, both secure and private, and we want to have that level playing field."

InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.

© Entire contents copyright 2020 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.