On October 14, 2015, the National Association of Insurance Commissioners’ (NAIC) Cybersecurity Task Force adopted the Cybersecurity Bill of Rights, a document meant to inform consumers of the services they can expect from insurance entities that possess their personal information. The Bill of Rights is part of an ongoing effort by the Task Force to improve response measures among insurance entities, update NAIC model laws on cybersecurity, and educate consumers on how best to protect their information when a data breach occurs.
The document notes, “This Cybersecurity Bill of Rights describes what you can expect from insurance companies,” but “Your specific rights may vary based on state and federal law.” This clause, added in response to legitimate concerns that the rights declared could conflict with existing state and federal provisions, makes the Bill of Rights more an aspirational and informational document than a legal one. In addition, adoption by the NAIC Cybersecurity Task Force is just the first step in the review process. The full membership must still discuss and approve the Bill of Rights before they update any existing model laws to conform to it.
When compared with the more onerous requirements of states and insurance entities that have taken a proactive approach to the regulation of data breaches and protection of personal information, the Task Force’s Cybersecurity Bill of Rights does little to expand the options available to consumers. However, if the Bill of Rights is approved by the full membership and incorporated into the relevant model laws with no further modifications, it will create increased pressure to update state laws that fall short of these rights.
Considering the concerns expressed during the drafting of the document by the American Council of Life Insurers, the American Insurance Association, and many other industry voices (summarized by the NAIC here), the Bill of Rights likely expresses the direction the NAIC is heading, but is not a concrete statement of the updates it will incorporate into its model laws.
1. The Right to Know How Personal Information is Used
The first right provides insurance consumers with the right to “Know the types of personal information collected and stored by your insurance company, agent or any business they contract with (such as marketers and data warehouses).”
This right reflects the legal requirements of two significant federal laws. Under the Gramm-Leach-Bliley Act, insurance companies must explain their information-sharing policies to consumers. Likewise, under the Fair Credit Reporting Act, which protects information collected by consumer reporting agencies and medical information companies, information in a consumer report cannot be disclosed to any entity that does not have a specific purpose under the Act. For example, if an insurer uses a consumer’s credit report to determine whether, or how, to issue a policy, they cannot pass that information on to any entity that does not “intend to use the information in connection with the underwriting of insurance involving the consumer.” Likewise, once finished using the report, the insurer must dispose of it so that it cannot be reconstructed (by burning, pulverizing, or securely deleting).
Though the first right does not necessarily expand upon Gramm-Leach-Bliley or the Fair Credit Reporting Act, it will result in more consumers caring about what kinds of personal information insurance entities require — and worrying about how that information is being used.
2. The Right to Inspect Privacy Policies
The second right provides insurance consumers with the right to “expect insurance companies/agencies to have a privacy policy posted on their website and available in hard copy, if you ask.” This section also explains the types of information a consumer should expect a privacy policy to contain, including:
-
Personal Information Collected: What types of personal information the agency or insurer collects
-
Consumer Options: What choices consumers have about their data
-
Accessibility: How consumers can see and correct their data
-
Security: How the data is stored and protected
-
Remedies: What recourse consumers have if an insurer or agency does not follow their privacy policy
3. The Right to Reasonable Protection of Information
The third right provides consumers with the right to expect any insurance company, agent, or company they contract with to “take reasonable steps to keep unauthorized persons from seeing, stealing, or using [their] personal information.”
Determining what is “reasonable” in the context of an ever-evolving technological threat is challenging. The most instructive document to explain what the NAIC considers “reasonable” is its Standards for Safeguarding Customer Information Model Regulation. That document establishes general guidelines for “developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.”
4. The Right to Notification of Data Breach
The fourth right provides consumers with the right to appropriate notice in the event of a data breach. Notice requirements vary significantly from state to state, creating complexities whenever an insurer subject to multiple states’ requirements experiences a breach. The Task Force attempts to simplify this process by establishing a uniform standard for triggering notice. Consumers have a right to “get notice” from any insurance entity they contract with if “an unauthorized person has (or it seems likely they have) seen, stolen, or used [the consumer’s] personal information.”
Many states require companies to notify state agencies and consumers when personal information is compromised. For example, Florida’s Information Protection Act of 2014 requires that companies experiencing a data breach provide notice to each individual whose information was, or reasonably could have been, compromised as a result of the breach, unless it is not likely that the breach will result in financial harm.
The 2014 Florida law is, in some ways, more onerous than the NAIC rights outlined above. For instance, the Florida law requires that notice be sent within thirty days of determination that a breach occurred. The Task Force’s provisions on notice are below, with a comparison to Florida’s parallel provisions.
5. The Right to One Year of Identity Theft Protection
The fifth right provides consumers with the right to “at least one (1) year of identity theft protection paid for by the company or agent involved in a data breach.” This right may be the most burdensome for insurance entities in the case of a data breach.
Currently, only two states — Connecticut and California — require one year of protection after a breach occurs. However, some companies already choose to provide more than one year. For example, following a January 2015 breach, Anthem contracted with AllClear ID to offer a $1 million identity theft insurance policy and two years of identity theft repair and credit monitoring services.
Though this right goes beyond what most state laws require, it is clear that NAIC proposals are not the only form of pressure to provide greater protection that insurance entities feel. Rather, market reputation and customer retention have already motivated companies in the insurance sector, and beyond, to provide extensive options to assist consumers after a breach.
6. The Right to Initiate Fraud Alerts, Freezes, and Fraudulent Information Removal
The sixth right provides consumers with the right to prevent further damage to their credit history in case their identity is stolen. This right does not stipulate any duties for insurers; rather, it merely lists options that consumers already have available to limit damage in the event of a breach. These options include contacting consumer-reporting agencies and instituting holds, alerts, or freezes, as follows:
-
90-Day Fraud Alert: Consumers may opt to put an initial, 90-day fraud alert on their credit reports, which requires additional steps to verify any new accounts or credit checks with the consumer
-
Seven-Year Fraud Alert: Consumers may also opt to put a longer, seven-year fraud alert on their credit files, which also allows them to access two free credit reports within 12 months from each of the three nationwide credit-reporting companies
-
Credit Freeze: Consumers may put a credit freeze on their files — preventing any creditor from getting their credit report unless the consumer temporarily lifts the freeze
-
Free Credit Report: Consumers may ask for a free credit report from each credit bureau
-
Information Removal: Consumers may have any fraudulent information related to the data breach removed from their credit report
-
Information Disputes: Consumers may dispute fraudulent or incorrect information on their reports
-
Fraudulent Accounts: Consumers may stop creditors from reporting fraudulent accounts related to the data breach
-
Additional Information: Consumers may get copies of documents related to the identity theft
-
Limiting Contact: Consumers may stop debt collectors from contacting them
Whether or not these rights are ratified and incorporated into the NAIC’s model laws in their current form, the Bill of Rights succeeds in consolidating numerous state and federal provisions into an easy-to-understand consumer policy. This will expand consumer awareness of, and demand for, the information protection services that insurance entities are increasingly expected to provide.