As a result, we have a tangled regulatory mess with federal and state regulators each attempting to take the lead on this highly publicized issue and trying to pass laws that pre-empt each other.
We are left with duplications, conflicts and confusion.
There already exists a complicated web of laws and regulations governing data security and protection of personal information that applies directly or indirectly to the insurance industry. Forty seven states and four territories have enacted data breach notification laws and several states have enacted data security regulations. There are also federal laws and regulations that include provisions concerning data security: Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the recently enacted Cybersecurity Information Sharing Act.
Why do we need more regulation?
Simply put, it’s because the existing regulation is outdated by the ever-changing cyber landscape and the stakes have been escalating. In response, Congress has been considering broad legislation on data security, breach investigation, and breach notification, and the NAIC Cybersecurity Task Force has been reviewing model laws on privacy protection and fraud prevention.
The problem with existing and emerging laws/regulation is that there are a lot of inconsistencies and conflicts. In addition to inconsistencies across the patchwork of state laws, there are conflicts between federal and state enacted regulation. To make matters worse, the House Financial Services Committee has been working on data breach legislation (H.R. 2205) that calls for federal pre-emption of state law. The NAIC opposes this legislation because of its potential to restrict a state’s ability to protect consumers at the state level, which is contrary to the McCarran-Ferguson Act.
Furthermore, in February the NAIC Cybersecurity Task Force released the Insurance Data Security Model Law, a model law draft that intends to “establish the exclusive standards for data security and investigation and notification of a breach of data security.” The model law strives to create a uniform set of standards that apply to insurance entities across all states, directed by the state insurance commissioners. The comment period on the model law resulted in over 130 pages of written comments from insurers, trade groups, regulators and other interested parties. These groups raised concerns about the ability to pre-empt federal and existing state regulation; a need for further clarification and definition of certain terms; consideration of risk-based and size-based provisions and exemptions; third-party vendor agreement provisions; breach notification time frames; board responsibility provisions; and the degree of state insurance commissioner latitude in setting standards differing from the model law, among other things. The model law and comments can be viewed on the NAIC’s website.
The model law likely will undergo a review and revision, and the issue of state vs. state and state vs. federal regulation is yet to be decided, but the risks related to cybersecurity breaches continue to emerge. And the race by lawmakers and regulators to try to legislate a solution is going to continue.
Regardless of who ends up with the final regulatory oversight of cybersecurity, every company should consider establishing cyberrisk management practices and procedures that include appropriate breach responses, and continue to increase employee awareness of cyberrisks through education.