Industry Groups Press NAIC On ‘Consumer Cybersecurity Bill of Rights’

By Cyril Tuohy

Advocates for consumers and trade groups representing financial advisors have called on the National Association of Insurance Commissioners (NAIC) to edit and recast a proposed “Consumer Cybersecurity Bill of Rights.”

The Cybersecurity Bill of Rights outlines expectations of insurers if and when carriers experience data breaches or cybersecurity lapses. The document offers remedies for consumers who have suffered harm due to a data breach.

The document is part of the NAIC’s efforts to strengthen the insurance industry’s security posture by building a framework for insurance companies to follow in the event computer systems suffer from an attack.

During a summer when consumer advocates often found themselves opposing a powerful financial services industry over the implementation of fiduciary standards of care for retirement investors, the rapprochement between traditional rivals over an insurance Cybersecurity Bill of Rights is somewhat unexpected.

Included in the Cybersecurity Bill of Rights — barely more than one page long — are 12 points that consumers have a right to expect of insurance carriers and agents with regard to data collection and protection under health data and credit report laws.

Brenda Cude, a professor at the University of Georgia’s College of Family and Consumer Sciences, and Birny Birnbaum, executive director of the Center for Economic Justice, write that the document isn’t particularly useful for consumers.

“The density of the document would discourage most from even attempting to read it,” the advocates wrote in comments distributed at NAIC’s Summer Meeting in Chicago.

Consumer advocates’ unlikely allies on the NAIC’s Bill of Rights issue include powerful insurance groups representing life, health and property/casualty carriers along with agents and brokers.

Life and health carrier groups include the American Council of Life Insurers (ACLI) and the National Association of Health Underwriters (NAHU).

On the distribution side, the National Association of Insurance and Financial Advisors (NAIFA), the Council of Insurance Agents & Brokers (CIAB), the National Association of Professional Insurance Agents (PIA) and the Independent Insurance Agents and Brokers of America (IIABA) have pushed for deep edits or even wholesale deletions to the proposal.

NAIFA, PIA, NAHU and CIAB said they support a Cybersecurity Bill of Rights. However, in a joint letter to NAIC’s Cybersecurity Task Force chairman, they warn that the document, “as currently drafted … may create confusion for consumers as to exactly what rights they have following a breach by implying that certain rights, which are not contained in all applicable state and federal laws, exist for all consumers.” The letter was sent Aug. 10 to North Dakota Insurance Commissioner Adam Hamm, chairman of NAIC’s Cybersecurity Task Force.

Government data breach experts with the FBI, as well as independent security experts, agree that it’s only a matter of time before individual insurance companies find themselves victims of a massive incursion.

Earlier this year, a data breach involving the health insurance carrier Anthem compromised a database with as many as 80 million customer records. Hackers gained access to the database through customized malware, according to Anthem executives who briefed the NAIC in March.

Stolen information included names, birthdays, medical IDs, Social Security numbers, street addresses, email addresses, and employment and income data.

Data kept on file by giant retailers, financial institutions, U.S. government agencies and even a company that prompts adults to engage in sexual affairs have all been subject to massive data hacking incidents, which has led to millions of dollars in damages and the resignation of top executives.

In an attempt to stay ahead of the burgeoning threat, NAIC last year launched the Cybersecurity Task Force to help coordinate insurance issues related to cybersecurity.

In April, NAIC issued a 12-point document titled “Principles for Effective Cybersecurity: Insurance Regulatory Guidance.”

Along with drafting the Cybersecurity Bill of Rights, NAIC and state insurance regulators are conducting examinations of insurance carriers to check whether companies are doing enough to protect sensitive data and confidential information.

NAIC also is co-sponsoring a forum with the Center for Strategic and International Studies on Sept. 10 in Washington. Data and information technology experts, as well as Commissioner Hamm, will serve as panelists.

"The threat of a cyber-attack is very real, and state regulators are committed to developing the tools we need to ensure effective regulation in this area," Hamm, said in a news release announcing the creation of the Cybersecurity Task Force in November. "The American public relies on insurance for financial peace of mind, and our leadership in this area is critical to maintaining that trust."

One of thorniest issues surrounding the Cybersecurity Bill of Rights is how its protections dovetail with state consumer protection laws already on the books.

Insurance groups fear the Cybersecurity Bill of Rights isn’t clear as it its intended use, said Roberta Meyer, vice president and association general counsel of the ACLI. She said this has the potential to confuse consumers and carriers.

Provisions in the Cybersecurity Bill of Rights may be misunderstood as granting consumers rights and protections that go beyond the protections provided under the laws of the state in which a consumer lives, and obligations of carriers may go beyond what is necessary under applicable law, she said.

Groups representing insurance agents have proposed deleting references to producers and replacing the phrase “insurer, insurance producer or other state-regulated entity” with the phrase “as outlined in applicable state and federal law.”

NAIC has neither the power to enact laws nor to draft regulation in the same way that a federal agency does, legal experts note, so there’s little or no chance the Cybersecurity Bill of Rights will become a binding document.

Even other regulators have expressed reservations about how effective such a Cybersecurity Bill of Rights might be when bumping up against state laws enacted by respective legislatures around the country.

Because each state law contains different requirements and must be followed in the event of a data breach, “it may be that this broad and general Cybersecurity Bill of Rights will have limited utility,” said Susanne K. Murphy, special deputy commissioner with the Florida Office of Insurance Regulation.

InsuranceNewsNet Senior Writer Cyril Tuohy has covered the financial services industry for more than 15 years. Cyril may be reached at [email protected].

Cyril Tuohy is a writer based in Pennsylvania. He has covered the financial services industry for more than 15 years. He can be reached at [email protected].