Insurance Industry Seeks Major Edits to NAIC Cybersecurity Model Draft
April 8, 2016 by Thomas Harman
NEW ORLEANS – Insurance groups are asking a National Association of Insurance Commissioners’ cybersecurity task force if they could meet to re-write or discuss significant portions of its draft cybersecurity model law, but North Dakota Insurance Commissioner Adam Hamm, the panel chairman, said he would only be willing to hold private talks.
Discussions on the new model law draft occurred April 4 during the NAIC’s 2016 Spring National Meeting. Last fall, the NAIC approved a guidance document designed to help states with cybersecurity-related consumer protections, a document designed to pave the way toward a single model law this year (Best’s News Service, Dec. 18, 2015). Work is expected to continue throughout the spring and summer, said Angela Gleason, American Insurance Association, associate counsel.
The hope is to have a final model ready for consideration by the full NAIC membership for the Summer National Meeting in August in San Diego. Hamm said should that fail to occur, a model would have to be ready for consideration between the San Diego meeting and the Fall National Meeting in December in Miami.
Industry representatives favored a national, uniform cybersecurity standard, but said rewrites would be necessary on various points. Gleason told the panel it is essential the model be done right. “As such, we are committed to devoting the time necessary to doing a section-by-section analysis of this model with you,” she said. “There is no magic bullet.”
Bob Woody, representing the Property Casualty Insurers Association of America, also asked for an in-person meeting where the draft could be made workable. “I’m optimistic enough to think we can get together and come up with something that is workable if we try,” he said.
Hamm told Best’s News Service he is willing to have some kind of session to talk with industry about changing the draft, but fears allowing the industry to essentially rewrite the document might create credibility problems with consumers.
“The way it’s worked for a century and a half — and it’s worked well in our state regulatory system — is that regulators draft model laws, stakeholders comment. I’m much more open to having a day where we all get together and talk about it,” Hamm said. “I’m much more open to that than I am some sort of joint drafting session. That I have deep concerns about.”
A final NAIC cybersecurity model draft would claim to make it the exclusive data breach model for the insurance sector. Hamm said he wants the panel to work quickly in part because Congress is already considering data breach legislation that would apply to all sectors of the American economy. The NAIC should “occupy the field, so that we can go to Congress and say ‘We know you’ve got this pending legislation. Please carve out insurance, because we’ve already got it taken care of with this model law.’”
The American Council of Life Insurers said members want a unified national security and breach notification standard that is risk-based and implemented uniformly nationwide. However, Roberta Meyer, ACLI’s vice president and associate general counsel, said the group has “serious and fundamental concerns” with the model, including provisions such as the breach notification requirement and more than one consumer protection requirement.
“They’re very concerned about provisions that would have each commissioner review a draft of an insurer’s notice before it would go out,” Meyer said, adding the ACLI is also concerned about a provision that would grant each commissioner authority to proscribe different levels and duration of consumer protection. “Consumers in different states across the country could get 50 different notices with 50 different levels of protection,” she said.
Wes Bissett, senior counsel, government affairs for the Independent Insurance Agents & Brokers of America, said Big I’s concerns with the draft are not minor or technical, but are “foundational and fundamental.” For instance, he said the draft would impose considerable and costly data burdens on insurance agents. Smaller companies, he said, would be unable to meet the requirements, he said. He said information protection requirements are too broad and the draft imposes unrealistic requirements in the event an agency is the victim of a data breach.
“What it seems like they’re saying is that they want a national standard. They just don’t want it to be this [draft],” Hamm said. “That’s obviously a pretty large difference of opinion there. But again, this is just a draft, a first draft. We’ll work our way through it.”
(By Thomas Harman, Washington Bureau manager, BestWeek: Tom.Harman@ambest.com)
