When hackers broke into Anthem Inc.’s security system in 2015, as many as 80 million current and former policyholders with the health insurer had their data compromised. The breach led to several lawsuits against Anthem and sparked a serious discussion in the industry on the rights of consumers and the responsibilities of insurance firms as they relate to data security.
After some initial criticism from the industry, including from the American Council of Life Insurers, the American Insurance Association and America’s Health Insurance Plans, NAIC revised and republished the bill last month.
But the changes don’t do much to dispel the real concerns shared by many insurance companies, attorney John C. Pitblado with Carlton Fields said this week.
At the heart of industry concern is the uniform notification laws prescribed for insurance companies, which may require firms to go above and beyond the actions stipulated in state law.
“The prior version required an insurer to provide notice to 50 different state attorneys general and 50 different insurance commissioners,” said Pitblado, who is a member of the firm’s insurance industry group and data privacy task force. “The revised model law, however, does not fairly meet these concerns, as it maintains notification requirements to insurance commissioners, but does not contain any changes indicating that the notification requirements supersede other state notification laws, effectively leaving insurers with two sets of 50 different standards.”
He did note that the revised draft made some headway, particularly in altering mandatory “shall” language that could have been interpreted as requiring agency action in the event of any suspected violation under the law. Now, such enforcement actions are permissive and within the discretion o the commissioner.
The new version of the law also eliminates the requirement that insurance companies notify policyholders of the types of information collected and stored.
Still, “some fundamental problems that insurers have previously expressed, especially surrounding uniformity and the superseding of other state notification laws, remain in this draft,” Pitblado said.
Insurers and others have until September 16, 2016 to comment on the new proposed law.
Regulators issue cyber security guidelines for insurers and producers
Big data, cybersecurity concern nation’s insurance regulators