At the Summer 2022 National Meeting of the US National Association of Insurance Commissioners ("NAIC"), the Innovation, Cybersecurity, and Technology (H) Committee ("ICT Committee") and two of its subgroups—the Privacy Protections (H) Working Group ("PP Working Group") and the Big Data and Artificial Intelligence (H) Working Group ("BDAI Working Group")—met. The focus of the ICT Committee and its working groups spans significant areas of development and innovation in the insurance industry; accordingly, they are carrying on work on multiple fronts that will affect the insurance business in coming years. Below are highlights from the meetings.

Privacy Protections (H) Working Group

The PP Working Group met on August 9, 2022, and heard updates on state and federal privacy legislation. Currently five US states have passed comprehensive data privacy laws—California, Colorado, Connecticut, Virginia, and Utah. In addition, six US jurisdictions have pending data privacy legislation. However, given that these bills are still in their committees of origin, there has not been much movement with respect to them. At the federal level, on July 20, 2022, the House Energy and Commerce Committee passed the American Data Privacy and Protection Act ("ADPPA"). The PP Working Group highlighted that, under the current draft of the ADPPA, entities subject to the Gramm-Leach-Bliley Act ("GLBA") and the Health Insurance Portability and Accountability Act ("HIPAA") are not exempt but, rather, are deemed to comply with the ADPPA if they comply with the GLBA or HIPAA, as applicable.

The PP Working Group also received an update from the drafting group of the white paper on Consumer Data Ownership and Use, which is expected to be exposed for public comment in December 2022. The white paper will cover current and historical work by the NAIC with respect to data, data usage, and data protection; a history of laws at the NAIC, federal, and state levels with respect to data, data usage, and data protection; the different types of data, with a particular focus on personal data; how consumers' personal data is collected, used, and processed in insurance transactions; the legal and economic construct of data and how it differs from other types of property; recommendations on who is the owner, if anyone, of data in insurance transactions; and expectations with respect to data usage and data protections.

Finally, the PP Working Group requested approval to begin work on amending the NAIC's Insurance Information and Privacy Protection Model Act (#670) and the NAIC's Privacy of Consumer Financial and Health Information Regulation (#672), which was ultimately granted by the Executive (EX) Committee. The PP Working Group stated that its intent was to create a new model law to replace both Model Law #670 and Model Regulation #672.

Big Data and Artificial Intelligence (H) Working Group

The BDAI Working Group met on August 10, 2022, and received reports from several of its workstreams. Commissioner Gaffney of Vermont gave a report on the Artificial Intelligence ("AI")/Machine Learning ("ML") Survey workstream, which is analyzing the results of the AI/ML Survey for the private passenger auto line of business. The subject matter experts plan to publicly present their report at the NAIC's Fall National Meeting in December. The AI/ML Survey for the home line of business is in the final stages of development; once the NAIC programs the survey into its systems, 10 states will formally issue the market conduct data call, and insurers will likely be asked to respond within 30 days. Finally, the AI/ML Survey for the life line of business is in the development phase.

Commissioner Ommen of Iowa provided an update on the work of the Third-Party Data and Model Vendors workstream. The workstream is considering several potential initial steps for enhanced regulatory oversight of third-party data and model vendors, including requiring contracting insurers to certify that the models that are being used comply with certain standards and developing a library of third-party vendors.

Other Working Groups of the ICT Committee

The ICT Committee met on August 10, 2022, and heard reports from its various working groups, including the ones that did not hold meetings at the Summer 2022 NAIC National Meeting. In addition to the PP Working Group and BDAI Working Group, the following working groups gave updates:

  • Cybersecurity (H) Working Group – This working group continues to track the adoption of the Insurance Data Security Model Law (#668). Currently, 21 states have adopted Model Law #668. At the federal level, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 ("CIRCIA") was signed into law. CIRCIA requires that critical infrastructure operators report cybersecurity incidents to the US Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency ("CISA"). Earlier this year, CISA launched its "Shields Up" program campaign to warn critical infrastructure operators of cybersecurity threats. The working group also reported that the NAIC is planning to host a cybersecurity tabletop session with Maryland later this year.
  • E-Commerce (H) Working Group – The working group continues to review and consider the various issues raised by insurance departments and industry in response to the e-commerce surveys conducted in 2021 regarding impediments to e-commerce and the various steps taken by insurance departments with respect to e-commerce as a result of the COVID-19 pandemic. The working group has focused on five categories of issues:

    1. E-signatures
    2. E-notices
    3. Claims
    4. Policy
    5. Other

    The working group plans to expose its framework for public comment soon.
  • Innovation in Technology and Regulation (H) Working Group – As the newest group of the ICT Committee, this working group began holding discussions on the different approaches insurance departments are taking to encourage technological innovation, including innovation sandboxes.

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.