Insurance Industry: Mid-2023 Privacy and Data Security Updates
At a Glance
- At the Summer National Meeting, NAIC’s Privacy Protections (H) Working Group acknowledged more time is needed to thoughtfully address interested-party feedback on new consumer privacy protection Model Law #674, and it will seek a drafting extension.
- Including New York’s 23 NYCRR 500, the insurance industry now must comply with 24 separate versions of data security laws.
- Florida, Indiana, Iowa, Montana, Oregon, Tennessee and Texas each passed a comprehensive privacy law, bringing the total states with such comprehensive privacy laws to 12. (California, Colorado, Virginia and Connecticut’s laws are already in effect, and Utah’s law goes into effect on December 31.) Delaware’s legislature also passed a comprehensive privacy law, but it has yet to be signed by the governor.
- Effective September 5, the SEC’s final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure requires public companies to report material cybersecurity incidents within four business days of determining an incident to be material.
The first half of 2023 saw a flurry of activity in the privacy and data security spaces. We outline below some of the key developments of interest to the insurance industry.
NAIC Drafting Efforts on Insurance Consumer Privacy Protection Model Law #674
The National Association of Insurance Commissioners’ (NAIC) Privacy Protections (H) Working Group (“Working Group”) continued its efforts drafting a new model law, Model 674, intended to replace NAIC Models 670, Insurance Information and Privacy Protection Model Act, and 672, Privacy of Consumer Financial and Health Information Regulation. The Working Group released an initial exposure draft of Model 674 on January 31, 2023. After accepting comments from interested parties, holding three open working group calls and hosting an in-person interim drafting session, the Working Group exposed a revised draft on July 11 with a short comment period through July 28. The Working Group hosted an open call on July 25 to hear preliminary comments and discussed the revised exposure draft at the Working Group’s meeting at the NAIC Summer National Meeting on August 13.
Industry representatives (and some regulators) continue to voice concerns about the development of a new model law, as opposed to updating the current models. Industry has stated that the draft contains onerous requirements that go beyond the current insurance privacy framework and beyond privacy frameworks in other industries, creating stricter requirements for insurance licensees than for other types of entities. For example, industry interested parties have expressed concerns with (1) the lack of definition of “additional activities”; (2) the broadly applicable and burdensome requirements around retention, deletion and sharing of personal information; and (3) the onerous third-party service-provider oversight requirements. Consumer representatives have continued to support development of the new model law, stating that the draft’s broad consumer protections are much needed.
At the Summer National Meeting, the Working Group acknowledged more time is needed to thoughtfully address interested-party feedback and it will seek a drafting extension from the Innovation, Cybersecurity, and Technology (H) Committee. Once comments from the latest exposure have been analyzed, the Working Group will release a revised draft with a longer comment period. Feedback from the revised draft will inform the Working Group’s extension request; an exact date has not been proposed, but it’s likely to occur before the Fall National Meeting.
State Insurance Data Security Law Adoptions
As of this date, 23 states have adopted legislation based on the NAIC’s Insurance Data Security Model Law (NAIC MDL-668). Pennsylvania and Illinois are the most recent jurisdictions joining the list of insurance data security law adoptees. Including the New York Department of Financial Services’ (NYDFS) 23 NYCRR 500, the insurance industry now must comply with 24 separate versions of data security laws.
On July 18, 2023, the Texas Department of Insurance (TDI) published Commissioner’s Bulletin # B-0009-23, requiring entities regulated by TDI to notify the department if the entity “experiences or discovers an unauthorized acquisition, release, or use of personal information or sensitive company information.”
On June 29, 2023, the NYDFS published revised proposed amendments to its cybersecurity regulations. Comments on the revised proposed amendments were due August 14, 2023. These revised amendments follow public comments on the earlier proposed amendments circulated in November 2022. If adopted, companies regulated by NYDFS would face several new requirements, including:
- the creation of a new category of large “Class A companies,” subject to stricter requirements (Class A companies are defined as companies with at least $20 million in gross annual revenue in each of the last two years from business in New York, and more than 2,000 employees averaged over the last two fiscal years regardless of location, or more than $1 billion in gross annual revenue over the last two years);
- obtaining annual board approval of cybersecurity policies;
- revised annual certification requirements;
- enhancements to multifactor authentication requirements, including for privileged accounts;
- development of data retention standards;
- increased board oversight including required CISO reporting to the board; and
- annual penetration testing.
Additional discussion of the revised proposed amendments is available here.
State Comprehensive Privacy Laws
Florida, Indiana, Iowa, Montana, Oregon, Tennessee and Texas each passed a comprehensive privacy law, bringing the total states with such comprehensive privacy laws to 12. (California, Colorado, Virginia and Connecticut’s laws are already in effect, and Utah’s law goes into effect on December 31, 2023.) Delaware’s legislature also passed a comprehensive privacy law, but it has yet to be signed by the governor. Effective dates for the laws range from 2024 to 2026 and, like the laws already in effect, will only apply to entities meeting certain criteria, including whether an entity conducts business in their state or produces products/services targeted to consumers in their state, and also based on the volume of consumer data that is processed or controlled and the revenue derived from the sale of certain data.
Each of the comprehensive privacy laws contains exceptions that may be applicable to certain entities in the insurance industry, either based on the type of entity, or the type of information or data collected, including exceptions based on applicability of HIPAA, GLBA, FCRA and other laws. States that contain entity-level exemptions for entities subject to GLBA and/or HIPAA include Virginia, Colorado, Connecticut, Utah, Indiana, Iowa, Tennessee, Montana, Texas and Florida. California and Oregon contain data-level exemptions for data processed subject to GLBA and/or HIPAA. Oregon also exempts insurers, insurance producers, insurance consultants and third-party administrators. All states except Colorado and Oregon explicitly exempt nonprofit entities. All states except California explicitly exempt information collected in the employment context.
Even where an entity determines the data or information it collects may fall within one of these exceptions, it should be cautious to consider whether the exception is broad enough to cover all of its data collection activities or whether it might still be subject to one or more of these laws.
SEC Rule on Cybersecurity Risk Management
On July 26, 2023, the Securities and Exchange Commission (SEC) finalized its rule addressing Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The new rules are effective September 5, 2023. The rules require public companies registered with the SEC to report material cybersecurity incidents within four business days of determining the incident to be material. The rules also require public companies to make periodic disclosures on their processes for assessing, identifying and managing material risks from cybersecurity threats; the board’s oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats; and the material impact of cybersecurity threats or incidents.
For Further Information
We will continue to monitor and report on the potential impact of these developments on the insurance industry.