Proposed cybersecurity law for insurance firms has “fundamental problems”

Proposed cybersecurity law for insurance firms has “fundamental problems”

Proposed cybersecurity law for insurance firms has “fundamental problems” When hackers broke into Anthem Inc.’s security system in 2015, as many as 80 million current and former policyholders with the health insurer had their data compromised. The breach led to several lawsuits against Anthem and sparked a serious discussion in the industry on the rights of consumers and the responsibilities of insurance firms as they relate to data security.

That decision culminated in the creation of a “Cybersecurity Bill of Rights,” released in 2015 by the National Association of Insurance Commissioners (NAIC). Meant to be used as a model law affecting insurance companies and agencies, the bill required firms to draft a privacy policy and post it on their website, take “reasonable steps” in cyber defense and – most importantly – provide customers with written notice if a data breach has occurred within 60 days of the discovery of the breach.

After some initial criticism from the industry, including from the American Council of Life Insurers, the American Insurance Association and America’s Health Insurance Plans, NAIC revised and republished the bill last month.

But the changes don’t do much to dispel the real concerns shared by many insurance companies, attorney John C. Pitblado with Carlton Fields said this week.

At the heart of industry concern is the uniform notification laws prescribed for insurance companies, which may require firms to go above and beyond the actions stipulated in state law.

 “The prior version required an insurer to provide notice to 50 different state attorneys general and 50 different insurance commissioners,” said Pitblado, who is a member of the firm’s insurance industry group and data privacy task force. “The revised model law, however, does not fairly meet these concerns, as it maintains notification requirements to insurance commissioners, but does not contain any changes indicating that the notification requirements supersede other state notification laws, effectively leaving insurers with two sets of 50 different standards.”

He did note that the revised draft made some headway, particularly in altering mandatory “shall” language that could have been interpreted as requiring agency action in the event of any suspected violation under the law. Now, such enforcement actions are permissive and within the discretion o the commissioner.

The new version of the law also eliminates the requirement that insurance companies notify policyholders of the types of information collected and stored.

Still, “some fundamental problems that insurers have previously expressed, especially surrounding uniformity and the superseding of other state notification laws, remain in this draft,” Pitblado said.
Insurers and others have until September 16, 2016 to comment on the new proposed law.

Related stories:
Regulators issue cyber security guidelines for insurers and producers
Big data, cybersecurity concern nation’s insurance regulators