By John Hilton
February 10, 2020
Data
security remains one of the biggest issues in the insurance industry, with
regulators racing to stay ahead of cyber criminals.
The
impact of potential breaches, as well as compliance costs, starts with
insurers, but is felt all the way down to the producer level. After all, it is
the agents and advisors who are at the forefront dealing with consumer data.
California
is capturing most of the attention with its
California Consumer Protection Act, which took effect Jan. 1 and sets a high
bar for data privacy. The sweeping law is acknowledged as the toughest passed
to date.
But it
is not the only one. In October 2017, the National Association of Insurance
Commissioners adopted its Insurance Data Security Model Law and sent it to the
states for legislative consideration.
So far,
the law is on the books in eight states: Alabama, Connecticut, Delaware,
Michigan, Mississippi, New Hampshire, Ohio and South Carolina.
"Currently,
eyes are on Indiana, Maine, Oklahoma, Virginia, and Wisconsin, where
legislation to adopt the model is pending," wrote Josephine Cicchetti, a
partner at Faegre Drinker. "Georgia has not released draft insurance data security
legislation, but reportedly is discussing draft language."
In
Minnesota, Gov. Tim Walz recently vowed to pass a tough data
security law for insurance companies doing business in his state.
The
NAIC push for a model law was prompted in 2016 by a string of cybersecurity
breaches of sensitive personal information about millions of insurance
customers, the association has said.
The
nation's largest breach of health care data, affecting 78.8 million Americans,
was reported in 2015 at the Blue Cross licensee Anthem, Inc. The second- and
third-largest confirmed breaches were also reported that year, at Blues plans.
'A
Dramatic Rise'
Insurers
are among those companies caught in the middle between escalating cyber threats
and increasing regulation mandates, said the law firm Eversheds Sutherland in a
year-end data privacy review.
"Companies
are also girding themselves for a dramatic rise in corresponding litigation,
especially with the CCPA’s new private right of action," the review noted.
The
U.S. Treasury Department has said it may be necessary
for Congress to establish national uniform data security regulations
if states don't do it themselves in the next few years.
"State
adoption of the model [law] is critical for state insurance regulators to have
the tools they need to better protect sensitive consumer information," the
NAIC said in a December fact sheet about the law.
Some
key provisions in the NAIC data security model include:
·
Make risk-based determinations on the security controls that
should be implemented.
·
Ensure the licensee’s Board or executive management carries out
oversight of compliance.
·
Exercise due diligence concerning data security in the selection
of third-party service providers, and require third-party service providers to
maintain reasonable safeguards.
·
Maintain an incident response plan, and notify the insurance
commissioner of a cybersecurity event within 72 hours.
InsuranceNewsNet
Senior Editor John Hilton has covered business and other beats in more than 20
years of daily journalism. John may be reached at john.hilton@innfeedback.com.
Follow him on Twitter @INNJohnH.
©
Entire contents copyright 2020 by InsuranceNewsNet.com Inc. All rights
reserved. No part of this article may be reprinted without the expressed
written consent from InsuranceNewsNet.com.
This comment has been removed by a blog administrator.
ReplyDelete