Mandating privacy safeguards for the insurance sector

Insurance applications – privacy requirements ahead.

NAIC Summer 2017 Cybersecurity Working Group
Carter Schoenberg

On August 7, 2017, the National Association of Insurance Commissioners (NAIC) held their summer session at the Philadelphia Convention Center. While this event is multiple days in length, today was of notable interest as the Cybersecurity Working Group was one of the key focal points. Specifically, the proposed adoption of the most recent version of the NAIC’s Model Law. This proposed law would directly impact how “any” licensee protects client personally identifiable information (PII). 

The law stipulates the following:

“Licensee” means any Person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this State.

It also now identifies how the insurance sector supply chain is now in scope.

“Third-Party Service Provider” means a Person, not otherwise defined as a Licensee, that contracts with a Licensee to maintain, process, store or otherwise is permitted access to Nonpublic Information through its provision of services to the Licensee.

It is important to note that these provisions were not whipped up in a vacuum but rather thoughtfully incorporated materials and opinions from all 50 states’ commissioners and some industry participants. The current version is Version 6.0. It has adopted many of the key characteristics of the recently ratified State of New York Cybersecurity requirements for financial services, which also includes the insurance sector.

Over the past couple of years developing earlier versions, there were concerns that such a law would be overly burdensome to the licensee because of duplicative levels of effort. Other requirements defined by the Health Insurance Portability and Accountability Act (HIPAA) as well as the Gramm Leach Bliley Act (GLBA) directly impact the intended stakeholders of the proposed law and the NAIC wanted to ensure the law would not be overly burdensome for the licensee.

It is important to note that if you comply with the State of New York’s Cyber Law, you by default are compliant with the proposed NAIC requirement. However, if you are compliant with HIPAA and/or GLBA, you are not necessarily compliant with the language set forth in Version 6. As an example, HIPAA does not align one-for-one with the safeguards described in the model law and therefore only those controls that are “duplicative” would be exempt. 

There is a proposed requirement to retain for 5 years as well as also include non-electronic records (paper) in addition to setting the trigger for harm at 250 records. These proposed modifications were presented for a motion to carry, which it did. There were three states that voted no. So now we have a potential requirement for a licensee (broker, carrier, etc.) to now notify the state insurance commissioner when a breach is identified. This will also impact the States of Alabama and South Dakota who are the remaining two states without a data breach reporting requirement.

From here, the Model Law will now go to the Innovation Committee for procedural approvals before ratification by the Plenary and Executive Committees. Depending on how fast this moves through each of these three stages, it is possible that licensees could be looking at having this in place by the end of this year. 

It is important to note that while we may think of an insurance agent as simply an employee of a large carrier like State Farm or Travelers, the reality is that many stakeholders in the industry are independent agents and have your application data on their personal laptops. What will be interesting to see is how corporate policies of the larger brokers and carriers evolve to impose greater cybersecurity controls to reduce the likelihood on a cybersecurity incident. 

Recently I was in Minneapolis and by happenstance, engaged in a discussion with an insurance stakeholder. This individual shared an experience where about four years ago an employee plugged in a USB drive and malware propagated rather quickly and had significant implications to the business operations. Allegedly for a week as this very common and unintentional act prevented a company with over 10,000 employees from being able to use corporate computing resources for a full week. While it was conveyed that they “had a ‘come to Jesus’ on cyber,” given our reactionary nature, how much impact will this Model Law have? There is a section that describes penalties but I believe at this stage, it will be determined on a state-by-state basis as 48 states have sanctions and penalties incorporated into their data breach reporting requirements.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful cybersecurity companies