NAIC Drafting ‘Ridiculous’ Model Act on CyberSecurity

SAN DIEGO, CA, Aug. 25, 2016 —The National Association of Insurance Commissioners is moving rapidly toward adoption of a new “model act” that, if approved by state legislatures, would impose massive new duties, expenses and liabilities upon the entire insurance industry—including every insurance agent and broker.

A task force comprised of more than 40 individual state regulators, including California Insurance Commissioner Dave Jones, has been working on a model act that would apply only to the insurance industry, and would not replace or eliminate any of the requirements under numerous federal and state laws already on the books, including other NAIC Model Acts.

The Independent Insurance Agents and Brokers of America—the national affiliate of IIABCal—has led efforts to dissuade Commissioners from the need for a new model, as well as encourage significant changes to the model as drafted.  Many of those concerns, however, appear to be falling on deaf ears as Commissioners continue to press toward Model Act creation.

Without offering any rationale for why a new all-encompassing insurance industry-specific cybersecurity law is even necessary, the latest draft of the model act applies to every insurance licensee, in admitted and non-admitted lines, and appears to make agents and brokers “strictly liable” for any data breach—occurring in their offices, or occurring in any third-party with whom an agent has shared records.  No requirement of actual consumer harm is required; any breach triggers massive new investigation, notification and remediation efforts.

“These requirements are completely ridiculous,” said IIABCal General Counsel Steve Young.  “They are completely unnecessary, and would provide consumers with absolutely no benefit that is not already conferred by existing law.  The cost of trying to implement these various requirements would be prohibitively high for all but the very largest and most sophisticated of national agencies.

“We would hope that the California Department of Insurance would not lend its support to this model act in the NAIC or seek its enactment in the California Legislature.  CDI would face the fierce, resolute and unanimous opposition of every broker-agent in this State, if it did” Young said.

IIABA conducted a Webinar this week—in advance of the Summer NAIC meeting in San Diego—in which the current version of the model act draft was discussed.  The PowerPoint slides used in the Webinar are available here.  A copy of the current draft of the act is available here. Official comments submitted in opposition to an earlier draft, in March 2016, are available here. IIABA comments from June 2016 on the current draft are available here

IIABA criticism of the draft is centered on the following points:   

  • Insurers and agents are already subject to data security and data breach notification requirements, and the draft model would add to and potentially conflict with these existing obligations (especially since state law cannot preempt federal law).  No one has identified the specific problems or regulatory gaps that warrant a new model of this nature.
  • The model would impose new data security, breach investigation, and breach notification requirements exclusively on the insurance industry.  The industry would be treated differently than any other sector or type of business, and it is doubtful that state lawmakers will want to establish new and insurance industry-specific requirements of this nature.
  • The draft would impose considerable data security burdens on all insurance agents.  Many of the provisions may be appropriate for large and sophisticated insurance companies and critical infrastructure, but countless main street insurance agencies will be unable to comply.
  • The proposal imposes certain one-size-fits-all requirement on all licensees.  The same requirements that would apply to global insurers would apply to small insurance agencies.
  • Reasonable protections should apply to data and information that is truly sensitive in nature, but the draft would apply broadly to data that is not sensitive.
  • The draft would impose unrealistic requirements in the event that an insurance agency is the victim of a breach.  It would force agents to provide so-called “identity theft protection services” that have been criticized by consumer groups and other experts, even though better options (like free credit freezes) exist.
  • Under the draft, insurance agencies that comply with data security requirements and take all reasonable measures to prevent a breach are still subject to sanctions.  The draft gives regulators the ability to unilaterally determine (without proper advance notice) the sanctions that would apply.
  • Although it was not the intent of the drafters, the draft can be interpreted as requiring independent insurance agents to be responsible for investigating breaches. suffered by insurers and providing consumer and regulator notifications in such instances.  Agents should be responsible for implementing their own safeguards, but they should not be responsible when personal information is shared with an insurer and that insurer subsequently suffers a breach.
  • The draft would establish a series of requirements concerning licensee relationships with third party service providers, and it would require licensees to impose demands on large and sophisticated third parties that are unrealistic.  Many small agents simply lack the market clout to compel third parties to acquiesce to such demands.
  • Perhaps most troubling, some proponents have indicated the model will become an NAIC financial accreditation standard.  This action would be inappropriate and unwarranted.  Some (and perhaps many) states would lose their accreditation status as a result, and such a move would undermine the success of that program and state regulation in general.