NAIC Cybersecurity “Bill of Rights” Wrong to Many Insurers

Last week, an NAIC task force moved forward in recommending a cybersecurity “bill of rights” that insurance regulators could provide consumers, essentially creating an expectation of notice of a breach “never more than 60 days” after a breach, and the right to one year of free credit monitoring. Insurance industry groups have objected to the proposed bill of rights. Among other objections, there is a concern that the “bill of rights” may create obligations and standards not currently provided under, and potentially inconsistent with, applicable state breach notification, privacy, and security laws and regulations.

The cybersecurity task force previously developed 12 principles for effective cybersecurity insurance regulatory guidance, as we reported here.

The cybersecurity bill of rights recommended by the task force is subject to NAIC approval. We will continue to track its progress.