In the wake of recent cyber breaches against major health insurance companies, the NAIC is undertaking three initiatives designed to “protect consumer information and educate the public about cyber risks.” First, on July 28, 2015, the NAIC’s Cybersecurity Task Force issued a proposed Consumer Cybersecurity Bill of Rights. This Bill of Rights contains 12 specific rights for consumers including:
- Know what type of personally identifiable information is being collected by the insurer and how long that information is being kept by the insurer, insurance producer, etc.;
- Expect that the insurer or other state-regulated entity that holds a consumer’s PII in connection with an insurance transaction is adequately protecting that information;
- Receive timely notice in the event of a data breach;
- Receive a general description of the actions taken by the insurer to restore security and confidentiality of the PII involved in the breach;
- Receive a minimum of two years of identity theft protection in the event of a breach; and
- Request that all three nationwide consumer reporting agencies place a “security freeze” on the consumer’s credit report.
The Cybersecurity Task Force is currently accepting comments on the proposed Bill of Rights and is expected to adopt them within 30 days of issuing the Bill of Rights for Comment. All comments are due to Pam Simpson no later than close of business on Monday, August 10, 2015.
Second, the NAIC is “coordinating with state insurance regulators to conduct examinations of insurance companies to verify companies are taking appropriate steps to protect sensitive data, including confidential personal information.”
Finally, the NAIC is co-sponsoring a forum entitled “Cyber Risk Management and Insurance” with the Center for Strategic and International Studies (CSIS). The forum will take place September 10, 2015 in Washington, D.C. “Cyber experts, policymakers and business leaders will discuss cyber risks faced by American businesses and consumers, and how best to manage those risks.”