On October 15, 2015, the U.S. National Association of Insurance
Commissioners ("NAIC") released the Cybersecurity Bill of Rights (the
"Bill"). The Bill, released during
cybersecurity awareness month, is intended to improve consumer
protection and to assist with updating model laws. It may, in
practice, potentially expand protections to consumers and
obligations of insurance companies and agencies beyond those
provided in current state and federal laws.
The NAIC's Cybersecurity Task Force ("Task
Force") was formed in November 2014 to assist the
NAIC to address cybersecurity issues in the insurance industry. As
acknowledged by NAIC President Monica J. Lindeen,
"Cybersecurity is one of the biggest challenges facing
businesses today and this is one of our association's key
The Bill was created in part to help update model laws
considered by the Task Force, but the key focus of the project was
aimed at improving protection for consumers. NAIC Cybersecurity
Task Force Chair Adam Hamm noted:
Consumers have a right to expect their personal, financial and
health information entrusted to the insurance industry is secure.
They also deserve to know when a breach occurs so they can
safeguard themselves against identity theft or other types of
fraud. This Bill of Rights is designed to assist consumers when
sensitive information is breached.
The release of the Bill is in addition to the April 2015 release
of the Principles for Effective Cybersecurity Insurance Regulatory
Guidance, as discussed in a previous post here.
The wording of the Bill itself is short, simple, and succinct;
the implications are far more substantial. In a statement of six
key rights of consumers, the Bill creates an expectation of notice
of breach within 60 days of occurrence and a right to a free year
of credit monitoring in the event of a breach.
The Bill includes the right to:
Know the types of information collected and stored by an
insurance company, as well as any agent or business they contract
with (including marketers and data warehouses);
Expect insurance companies and agencies to have a privacy
policy posted on their website (and available in hard copy, upon
request) detailing the personal information they collect, the
choices consumers have about their data, how the consumer can view
and modify that data if necessary, how data is stored and
protected, and the recourse available to a consumer if the
insurance company or agency does not comply with its privacy
Expect the insurance company, agent, or any business they
contract with to take reasonable steps to prevent unauthorized
persons from seeing, stealing, or using personal information;
Receive notice in writing from the insurance company, agent, or
any business they contract with if a data breach has occurred (or,
if it seems likely that such a breach has occurred) within 60 days
after a breach is discovered, which should describe the type of
information involved, how individuals can protect themselves from
identity theft or fraud, actions being taken to protect information
and contact information for the three nationwide credit bureaus and
for the company or agent;
Receive one year, at minimum, of identity theft protection, at
the cost of the company or agent involved in the data breach.
In addition to the specific rights above, the final section of
the Bill sets out specific rights in respect of credit reporting a
consumer has in the case of identity theft, including the right to
put a 90-day initial fraud alert and seven year extended fraud
alert on credit reports, to require the removal of fraudulent
information from credit reports and to stop creditors and debt
collectors from reporting fraudulent accounts related to the
The Bill contains links to information about the protections in
particular states and notes that specific rights may vary based on
state and federal law.
The Bill was created to be consumer-friendly and written in
plain language to convey to the public what to expect in the event
of a data breach. The U.S. insurance industry has expressed
concerns that the Bill may potentially expand both the protections
to consumers and the obligations of insurance companies beyond
those afforded by applicable law. A key issue is that the Bill
hasn't been adequately described as the ambitious document that
it is. Suggestions for improvement from key industry groups, such
as the American Council of Life Insurers, the U.S. National
Association of Health Underwriters, and the U.S. National
Association of Insurance and Financial Advisors, among others,
include the addition of language to clarify the purpose of the
document, reduce potential confusion and emphasize that rights may
vary by jurisdiction.
Potential damages of up to $1 million per day may be imposed. I refer to the blog by Aaron Baer "Are You Compliant With Canada's Anti-Spam Law? If Not, Expect Lawsuits Starting on July 1 of This Year."
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).