NAIC Cybersecurity Bill of Rights for Insurance Consumers

The National Association of Insurance Commissioners Cybersecurity (Ex) Task Force has released a draft Bill of Rights for consumers. Commissioner Adam Hamm, Chair of the Cypersecurity (Ex) Task Force, has announced this Bill of Rights will cover existing laws and regulation regarding security breach notification.

The 12 rights according to the draft are listed below. According to the Bill of Rights, an insurance consumer has the right to:

1. Know what type of personally identifiable information is being collected and how long that personally identifiable information is kept by an insurer, insurance producer, or other state-regulated entity.

2. Expect that an insurer, insurance producer, or other state-regulated entity that holds your personally identifiable information in connection with an insurance transaction or service is adequately protecting the personally identifiable information from disclosure to unauthorized persons.

3. Receive notice from an insurer, insurance producer, or other state-regulated entity if your personally identifiable information was, or is reasonably believed to have been, acquired by an unauthorized person and could result in identity theft or fraud to you.

4. Receive notice from an insurer, insurance producer, or other state-regulated entity in the event of a data breach.

5. Receive notification, from health insurers regarding a data breach of protected health information that is held by a health plan, under federal HIPAA laws.

6. Receive notice from an insurer, insurance producer, or other state-regulated entity without unreasonable delay, and in no case later than 60 days, information on any relevant payment card/bank account number breach, if the breach involves a breach of the payment card/bank account numbers. This notice within 60 days may be delayed in the event that the release of the breach information obstructs a criminal investigation or jeopardizes national security.

7. Receive notice from an insurer, insurance producer, or other state-regulated entity in the event of a data breach of their security system, maintained by a third-party service provider that has been contracted to maintain, store, or process personally identifiable information in electronic or paper form.

8. Receive a general description of the actions taken by the insurer, insurance producer, or other state-regulated entity to restore the security and confidentiality of the personally identifiable information involved in a data breach.

9. Receive a minimum of two years of identity theft protection from the insurer, insurance producer, or other state-regulated entity in the event of a data breach.

10. Receive a summary of the rights of victims of identity theft prepared under the Fair Credit Reporting Act.

11. Request all three nationwide consumer reporting agencies to place a “security freeze” on your credit report. A “security freeze” will limit the consumer reporting agency from releasing your credit report or any information from your credit report without your authorization.

12. Receive an insurer, insurance producer, or other regulated entity’s privacy policy regarding the data they collect on you. The regulated entity should provide a clear and conspicuous notice to you that accurately reflects its privacy policies and practices on an annual basis.