While US regulators attempt to require insurers to be more aggressive in protecting consumer data from cyber attacks, in August 2016 the NAIC’S Cybersecurity Task Force released an amended version of its draft Insurance Data Security Model Law.
The NAIC model law proposes to establish “uniform” standards for data security and investigations, in addition to how to notify about a data breach. The model law would be applicable to all insurance entities, producers and other parties, not only insurance companies. The model law would require a very comprehensive written “information security program” and each licensee’s board of directors would be responsible to oversee and approve the program and ensure its compliance with the law. It was hoped that the NAIC model would establish uniformity among state laws and regulations; however, because it states that it would not “supersede existing state laws and regulations” any chance for uniformity across state lines becomes moot. Not only does there exist at least 47 states with breach notification issues, but layers of federal laws as well. Compliance will be a nightmare for all insurance entities, big or small.
Contrast the NAIC model law with New York’s proposed regulation entitled “Cybersecurity Requirements for Financial Services Companies.” The New York proposed regulation has caused significant concerns among the industry, especially with an effective date of January 1, 2017. The regulations, according to recent industry comments, would cause an undue hardship and burden on all insurance entities and third parties doing business with insurance entities. Producers, for example, would be required to have a separate plan to conform to each of its insurers’ plans as well as its own plan to comply with the regulation as a covered entity.
Of major concern with the New York proposed regulation is the potential extraterritoriality reach. For example, if the insurer cannot segregate its New York customer data from data that includes more than New York risks, then the financial institution must comply with the onerous regulatory requirements in other states where it conducts business. In addition, there is a short window of time once the regulation becomes effective for covered entities to develop and initiate a compliant plan.
If New York’s regulation’s effective date is not postponed, and the NAIC is not able to amend its proposal to preempt state laws and regulations and have such model law adopted at its December National meeting, insurance entities and third parties doing business with covered entities, may be faced with up to 50 states varying laws and regulations to comply with. If ever there was a reason to have “uniformity” among the states, it is now. The industry clearly recognizes the need for cybersecurity regulations, and the need to move quickly, but in order for all required entities to comply across state lines, the regulators must agree on one platform.
Refer to page 10 in the Winter 2016-2017 issue for the article. https://www.airroc.org/assets/docs/matters/airroc_matters_winter_2016_2017_vol_12_no_4.pdf