Insurers, Regulators Race To Stay Ahead Of Cyber Crooks

Data security remains one of the biggest issues in the insurance industry, with regulators racing to stay ahead of cyber criminals.

The impact of potential breaches, as well as compliance costs, starts with insurers, but is felt all the way down to the producer level. After all, it is the agents and advisors who are at the forefront dealing with consumer data.

California is capturing most of the attention with its California Consumer Protection Act, which took effect Jan. 1 and sets a high bar for data privacy. The sweeping law is acknowledged as the toughest passed to date.

But it is not the only one. In October 2017, the National Association of Insurance Commissioners adopted its Insurance Data Security Model Law and sent it to the states for legislative consideration.

So far, the law is on the books in eight states: Alabama, Connecticut, Delaware, Michigan, Mississippi, New Hampshire, Ohio and South Carolina.

"Currently, eyes are on Indiana, Maine, Oklahoma, Virginia, and Wisconsin, where legislation to adopt the model is pending," wrote Josephine Cicchetti, a partner at Faegre Drinker. "Georgia has not released draft insurance data security legislation, but reportedly is discussing draft language."

In Minnesota, Gov. Tim Walz recently vowed to pass a tough data security law for insurance companies doing business in his state.

The NAIC push for a model law was prompted in 2016 by a string of cybersecurity breaches of sensitive personal information about millions of insurance customers, the association has said.

The nation's largest breach of health care data, affecting 78.8 million Americans, was reported in 2015 at the Blue Cross licensee Anthem, Inc. The second- and third-largest confirmed breaches were also reported that year, at Blues plans.

'A Dramatic Rise'

Insurers are among those companies caught in the middle between escalating cyber threats and increasing regulation mandates, said the law firm Eversheds Sutherland in a year-end data privacy review.

"Companies are also girding themselves for a dramatic rise in corresponding litigation, especially with the CCPA’s new private right of action," the review noted.

The U.S. Treasury Department has said it may be necessary for Congress to establish national uniform data security regulations if states don't do it themselves in the next few years.

"State adoption of the model [law] is critical for state insurance regulators to have the tools they need to better protect sensitive consumer information," the NAIC said in a December fact sheet about the law.

Some key provisions in the NAIC data security model include:

• Make risk-based determinations on the security controls that should be implemented.
• Ensure the licensee’s Board or executive management carries out oversight of compliance.
• Exercise due diligence concerning data security in the selection of third-party service providers, and require third-party service providers to maintain reasonable safeguards.
• Maintain an incident response plan, and notify the insurance commissioner of a cybersecurity event within 72 hours.

InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.

© Entire contents copyright 2020 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.

InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.