Canadian Underwriter

U.S. National Association of Insurance Commissioners adopts Cybersecurity Bill of Rights

October 16, 2015   by Canadian Underwriter

Print this page Share

The National Association of Insurance Commissioners (NAIC) in Washington, D.C. has announced that its Cybersecurity Task Force has adopted a Cybersecurity Bill of Rights, aimed at bolstering consumer protection.

The Bill of Rights includes six major rights for insurance consumers in the United States

“Consumers have a right to expect their personal, financial and health information entrusted to the insurance industry is secure,” said Adam Hamm, NAIC Cybersecurity Task Force chair and North Dakota Insurance Commissioner, in a statement on Wednesday. “They also deserve to know when a breach occurs so they can safeguard themselves against identity theft or other types of fraud. This Bill of Rights is designed to assist consumers when sensitive information is breached.”

The release of the Cybersecurity Bill of Rights, which coincides with National Cybersecurity Awareness Month in the U.S., is intended to help update model laws considered by the task force, the NAIC said. The document will now head to the NAIC executive committee/plenary for full membership discussion and approval.

The bill includes six major “rights” for insurance consumers, including the right to:

• Know the types of personal information collected and stored by an insurance company, agent or business they contract with (such as marketers and data warehouses);

• Expect insurance companies/agencies to have a privacy policy posted on their website and available in hard copy explaining: what personal information is collected, what choices consumers have about their data, how consumers can see and change/correct their data if needed, how the data is stored/protected, and what consumers can do if the company/agency doesn’t follow its privacy policy;

• Expect the insurance company, agent or any business they contract with to “take reasonable steps to keep authorized persons from seeing, stealing or using” personal information;

• Get a notice from the insurance company, agent or any business they contract with if an unauthorized person has (or it seems likely they have) seen, stolen or used personal information. The notice should, among other items: be sent as soon after a data breach, and never more than 60 days after the data breach is discovered; describe the type of information involved in a data breach and the steps that can be taken to protect the consumer from identify theft or fraud; describe the actions taken to keep personal information safe; include contact information for the three nationwide credit bureaus; and include contract information for the company or agent involved in the breach;

• Get at least one year of identity theft protection paid for by the company or agent involved in a data breach; and

• Other rights in the cases of identity theft, such as a 90-day initial fraud alert on credit reports (the first credit bureau contacted will alert the other two) and having fraudulent information related to a data breach removed or blocked from credit reports.

The statement notes that proponents of the bill have drafted a simple guide with consumer-friendly terms to tell policyholders what to expect if their personal information is compromised. The Cybersecurity Bill of Rights will be made available for state insurance departments to publish for local consumers and the rights may vary, depending on state law.

“Cybersecurity is one of the biggest challenges facing businesses today and this is one of our association’s key priorities,” concluded Monica J. Lindeen, president of the NAIC and Montana Insurance Commissioner.