Questions Remain Regarding Revised NAIC Data Security Model Law
The National Association of Insurance Commissioners (NAIC) Cybersecurity (EX) Task Force released its second version of the Insurance Data Security Model Law (Model) on August 17. The first version was exposed on March 3, and was the subject of concern for industry representatives during the NAIC Spring Meeting in early April. Similar concerns were expressed during the Model’s written comment period, which extended into early June.
Industry representatives were concerned that, among other things, the first version of the Model presented unworkable federal preemption issues, had an overly extensive definition of personal information, and was not being drafted in collaboration with industry stakeholders. The revised version addresses many of the issues raised by industry comments, but questions remain regarding the intended scope and application of the Model in relation to overlapping state data security laws regulating information security programs and data breach notifications.
Scope and Applicability: Overlap With Other State Laws
Of greatest concern is the revised Section 2 of the Model. The first version of Section 2 stated, “No other provision of state or federal law or regulation regarding data security or investigation or notification of a breach of data security shall apply to licensees subject to the provisions of this Act.” This clause presented potentially unworkable federal preemption issues, and has been removed in the second version of the Model.
The revised Section 2 only addresses other state data security laws, stating, “This Act shall not be construed as superseding, altering, or affecting any statute, regulation, order or interpretation of law in this state, except to the extent that such statute, regulation, order or interpretation is inconsistent with the provisions of this Act and then only to the extent of the inconsistency.” At the NAIC Summer Meeting, held in late August, industry representatives noted that the enactment of this clause would create overlapping data security frameworks. Insurance licensees would remain subject to the general state data breach notification and information security laws of the state — except to the extent they do not conflict with the Model — but upon enactment of the Model, would also be subject to the its provisions. This arguably creates a regulatory framework that works against the goal of simplifying and tailoring the data security regulations insurance licensees are subject to, and instead adds an additional layer of regulation, which licensees will have to negotiate along with other state laws on cybersecurity.
Enforcement: Incorporation of Other State Laws
Another notable change is the removal of Section 15 (Individual Remedies) which provided a private cause of action to enforce the provisions of the Model. The original version of the Model stated, “If any licensee fails to comply with Section [insert section(s) addressing consumer rights] of this Act with respect to the rights granted under those sections, any person whose rights are violated may apply to the [insert title] Court of this state, or any other court of competent jurisdiction, for appropriate equitable relief.” The revised Model removes Section 15, and clarifies in Section 2, “This Act may not be construed to create or imply a private cause of action for violation of its provisions.”
The removal of the “Individual Remedies” provisions of the Model follows the drafters’ trend of deferring to and incorporating other state laws on enforcement and procedure rather than creating specific procedural provisions applicable only to data security issues for insurance licensees. The new Section 9 (Enforcement) states, “Whenever the commissioner has reason to believe that the licensee has been or is engaged in conduct in this state which violates this Act, the commissioner may issue and serve upon such licensee a statement of charges and notice of hearing . . . conducted in accordance with [cite provisions of state administrative procedure act or insurance code applicable to administrative enforcement proceedings for serious violations].” Likewise, the new Section 11 (Penalties) states, “In the case of a violation of this Act a licensee may be penalized in accordance with [insert general penalty statute].” The removal of Sections 12 (Cease and Desist Orders and Reports), 13 (Penalties), 14 (Judicial Review of Orders and Reports), and 16 (Immunity) also reflect this trend.
Notice: Reduced Three-Day Commissioner Notification Period
In revised Section 6 (Notification of a Data Breach), the drafters reduced the time that insurance licensees have between a data breach and submitting notification of that breach to the insurance commissioner from five business days to three. Perhaps more important, the revised Model clarifies, “The licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the commissioner concerning the data breach.” Though licensees would already have had to respond to any requests by the commissioner to provide more information concerning a data breach, this new clause puts a proactive obligation on licensees to update the commissioner on any developments after the breach occurs. It remains unclear exactly what kind of updates or supplements would be expected.
With regard to the notification provided to consumer reporting agencies, the revised draft removes the original 60-day notification requirement in favor of a looser standard. Licensees must now provide notification to consumers “as expediently as possible and without unreasonable delay, after determining that a data breach has occurred.” Furthermore, the revised version reduces the number of effected persons required to trigger the necessity of consumer reporting agency notification from 1,000 to 500.
The revised provisions relating to consumer notification also now require notification “as expediently as possible and without unreasonable delay,” but clarify that this should be “in no case later than sixty” days after identification of a breach. The revised version also specifies how notification to consumers may be made, by “writing by first class mail,” “[e]electronically if the consumer has agreed to be contacted through e-mail,” or “by substitute method if ... the cost of providing notice ... would be excessive or ... another legitimate reason exists for substitute notice.”
Definitions: Tweaks Fill Gaps, But Leave Room for Interpretation
The new version has some significant definitional changes as well. The definition of personal information now includes “the consumer’s date of birth” and “[a]ny information of the consumer that the licensee has a legal or contractual duty to protect from unauthorized access or public disclosure” in combination with the name of the consumer. In addition, the revised version adds a catch-all clause stating that any of the data elements that would normally only constitute personal information in combination with the consumer’s name are Personal Information, even if they are not in combination with the consumer’s name, so long as “those elements would be sufficient to permit the fraudulent assumption of the consumer’s identity or unauthorized access to an account of the consumer.” Though the original definition of personal information was already extensive, these additional categories close any definitional gaps through which consumer information of any significance could have fallen.
The revised Model also moves away from referencing formal data security program frameworks in favor of less definite standards. The revised Section 4 (Information Security Program) eliminates the requirement that licensees use “The Framework for Improving Critical Infrastructure Cybersecuritydeveloped by the National Institute of Standards and Technology (NIST).” Instead, the revised Model requires a licensee to “[d]esign its information security program to mitigate the identified risks ... based on generally accepted cybersecurity principles.”
Likewise, the original Model required licensees to “[u]se an Information Sharing and Analysis Organization (ISAO) to share information and stay informed regarding emerging threats or vulnerabilities,” but now only requires licensees to “[u]se generally accepted cybersecurity principles” to do so. Though the Model still provides extensive information on what an information security program should include, the standard of “generally accepted cybersecurity principles” is a frustrating one to meet, because the requirements of such a security program evolve with the changing technology and methods for acquiring unauthorized access to personal information.
The revised Model resolves some of the issues raised by industry representatives in the first round of comments. However, the Model still raises questions as to how it will mesh with existing state data security laws. As numerous industry representatives noted in their verbal comments at the NAIC’s Summer Meeting, without further revision, the Model will face continued resistance from stakeholders and, as a result, challenges in uniform state adoption.
Written comments were to be submitted by September 16th, with an open call addressing those comments to be held shortly thereafter. The short comment period is an indication that the Task Force wishes to move the Model forward as quickly as possible, and is attempting to finalize the draft before year end. If the Task Force continues its pattern of exposures for 2016, we can expect a revised draft before the NAIC’s Fall Meeting, taking place in Miami on December 10 – 13.