NAIC Cybersecurity Bill of Rights: The Awkward New Guest at the Data Breach Law Party

On October 14, 2015, the NAIC’s Cybersecurity (EX) Task Force adopted a Cybersecurity Bill of Rights, an aspirational, well-intended document outlining the rights insurance consumers should (or could? or might? this point remains uncertain) expect with regard to their personal information in the hands of insurance companies, insurance agents, and any of their vendors. The document, now in queue for a vote by the NAIC Executive Committee, has not enjoyed a warm reception among industry groups and data privacy lawyers for a number of reasons. Concerns include the Bill’s divergence from prevailing laws and regulations on important issues, and the resulting uncertainties, which could raise the cost and risk of compliance, and thereby the cost of cyber insurance coverage increasingly sought by insurance companies, agents, and their vendors to defray their exposure as a result of a data breach. As the Bill purports to bestow upon consumers of insurance products new rights and entitlements in the event of a data breach, it overlaps and creates potential inconsistencies with the data breach laws adopted by 47 of the 50 states (plus Washington DC, Puerto Rico, and other U.S. jurisdictions).

If adopted by the NAIC, the Bill is intended to be melded into existing related NAIC model laws with the expectation that those amended provisions would then be picked up by various state legislatures or state departments of insurance to amend relevant portions of their respective state insurance codes or regulations.

This Bill joins a very crowded gathering of existing and proposed measures at nearly every level of government and industry, seeking to do something – anything – about the mushrooming problem of sensitive personal information leaking (or being siphoned) seemingly uncontrollably from the electronic coffers of entities of every stripe, or simply being lost, misplaced, or misdirected by those entities.

Unfortunately, this Bill does not fit in well with the crowd it seeks to join. In enumerating six general “rights” of an insurance consumer, the Bill goes both too far and not far enough. The wording of the “rights” lacks sufficient surgical precision in defining the types of incidents that should fall within the scope of the Bill, and does not account for the practical (and in some cases, legal) realities of a data breach incident response. As a result, the Bill overburdens insurance companies and producers, while not adding meaningfully to the protection of consumers. A few illustrative examples are discussed below.

The Bill requires that a consumer receive a notice from the insurance company, agent, or any down-stream business “if an unauthorized person has (or it seems likely they have) seen, stolen, or used your personal information.” (Right #4.) Unlike most existing breach notification requirements, the Bill does not contemplate exceptions to this requirement for situations where there is not a reasonable likelihood of harm to the consumer. Without such a “likelihood of harm” exception, consumers could be notified of incidents that would not likely harm them and so they would be confused and alarmed unnecessarily, and for no benefit. Most commentators, including regulatory and enforcement agencies, have recognized the dangers of over-notification, including a desensitization that can numb notice recipients to the risks presented by potentially more harmful incidents. Likewise, the insurance company, agent, or down-stream business would be subjected to substantial unnecessary expenses, liability, and reputational risk for a no-harm, no-foul incident. Creating a mandatory notice requirement simply where an unauthorized person seems likely to have seen personal information is a substantial expansion of what constitutes a data breach under most existing legal regimes governing data breach notices without improving the protection of consumers.

There is a further requirement in the Bill that the consumer data breach notice letter is sent “never more than 60 days after a data breach is discovered.” The inflexibility built into this requirement ignores, for example, cases where law enforcement or other agencies may be involved, and may request or require delayed notifications while their investigation proceeds.

As another example, consumers affected by a data breach are required under the Bill to receive at least one year of identity theft protection paid for by the insurance company or agent involved in the breach. (Right #5.) This blanket requirement does not account for the many types of breaches where identity theft protection would be of no value to the consumer. For example, while entities suffering a breach involving credit card data or a breach where there is no likelihood of harm sometimes voluntarily offer identity theft protection to potentially affected individuals, such protection is not required under most existing laws and regulations. Nevertheless, the Bill would create an expectation of entitlement that increases costs and exposures, without a corresponding benefit to the consumer.

Certainly, this well-intended Bill is a step in the right direction in trying to bring consistency and uniformity within the insurance industry on the issue of cybersecurity and data protection, but there is work yet to be done to achieve effective consumer protection in the face of the realities of cyber threats and garden variety data loss being experienced by companies in the insurance industry with increasing regularity. We continue to monitor the developments on this front.

Theodore Augustinos is a Partner in the Hartford office of Locke Lord. He can be reached at ted.augustinos@lockelord.com.