Cybersecurity Bill Trimmed by NAIC

By Cyril Tuohy

A scaled-down version of a proposed “Cybersecurity Bill of Rights” to provide a framework for insurance carriers and agents exposed to a data breach has been adopted by a panel of the National Association of Insurance Commissioners.

The bill of rights will proceed before the full membership of the National Association of Insurance Commissioners (NAIC) for discussion, and eventual adoption.

Monica J. Lindeen, NAIC president and Montana insurance commissioner, said in a news release that cybersecurity remains one of the NAIC’s “key priorities.”

“Our commitment to strengthening the NAIC’s technical and information services infrastructure and our security environment is demonstrated in our current budget, as well as strategic planning for the next few years,” she said.

Drawing up the Cybersecurity Bill of Rights is part of that strategy. The NAIC’s Cybersecurity Task Force adopted the document last week, in the midst of Cybersecurity Awareness Month.

The simplified version of the bill of rights outlines six “rights” consumers can expect from insurance carriers and brokers who solicit and keep important personal information and data about consumers applying for coverage.

An initial version of the document drawn up over the summer contained 12 points outlining consumers’ rights in the face of a data breach affecting the industry.

Many of the changes in the simplified version of the bill of rights adopted last week remove some of the reporting requirements that insurances carriers and agents found onerous, cumbersome and potentially confusing to victims of data breaches.

In most states, for instance, agents and producers are not required to provide privacy notices if the notices are provided by carriers.

Even consumer advocates called on the NAIC to make the Cybersecurity Bill of Rights less dense so as not to deter consumers from reading the document in the first place.

For example, in the latest version of the bill, consumers can expect carriers and agents to have a privacy policy posted on their website and available in hard copy when asked.

The initial version spelled out consumers’ expectation that carriers and producers holding information connected to any insurance transaction was adequately protected.

In addition, the latest version of the Cybersecurity Bill of Rights removes all specific references to health insurers and to the Health Insurance Portability and Accountability Act (HIPAA). It also removes any reference to the summary of the rights of data breach victims under the Fair Credit Reporting Act.

The latest version also guarantees that consumers receive at least one year of identity theft protection paid for by a company or agent involved in a data breach, trimmed back from a minimum of two years of identity theft protection in the initial version.

Many of the key rights such as a 60-day notification maximum, freezes on credit reports and detailed descriptions of the data or information that was compromised have been retained in the version adopted by the panel Oct. 14.

“Consumers had a right to expect their personal, financial and health information entrusted to the insurance industry is secure,” said Adam Hamm, chair of the NAIC Cybersecurity Task Force and North Dakota insurance commissioner, in a news release.

“They also deserve to know when a breach occurs so they can safeguard themselves against identity theft or other types of fraud,” he also said. ”This Bill of Rights is designed to assist consumers when sensitive information is breached.”

InsuranceNewsNet Senior Writer Cyril Tuohy has covered the financial services industry for more than 15 years. Cyril may be reached at [email protected].

Cyril Tuohy is a writer based in Pennsylvania. He has covered the financial services industry for more than 15 years. He can be reached at [email protected].