IIABA Update NAIC Cybersecurity Model Law Cybersecurity dj

IIABA Update: NAIC Cybersecurity Model Law

Cybersecurity déjà vu • The debate regarding data security and post-breach requirements was (re)ignited following several highprofile events. • Many of these issues are not new, and existing laws (e. g. GLBA/HIPAA) apply in this arena. – GLBA required regulators to develop standards designed to: • (1) Ensure the security and confidentiality of customer records and information, • (2) Protect against any anticipated threats or hazards to the security or integrity of such records, and • (3) Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to customers. – The NAIC adopted its safeguards model law in 2002. – Nearly every state also has an existing data breach statute. • These laws typically impose investigation and notice requirements and other obligations.

NAIC Engagement • The NAIC formed its Cybersecurity Task Force in November 2014. – It is chaired by Adam Hamm, North Dakota’s elected commissioner and a former NAIC president. • The vice chair is South Carolina Insurance Director Ray Farmer. – All commissioners (except AZ, GA, IN, IA, LA, MI, OR, WV, and WY) sit on the task force. • The task force’s most notable work has been the development of new cyber legislation – the Insurance Data Security Model Law. – There was a presumption that a new model was needed and no discussion of existing problems or regulatory gaps. – The initial version was released in March. Public hearings, written comments, and regulator-only conference calls followed. The second version was unveiled last week. – IIABA has been actively engaged throughout this process, and we thank the states that have helped with this effort.

Scope of the Model • The model has a broad and narrow scope. – The proposal applies broadly to all licensees and would create new mandates for all agents, insurers, and others. • If enacted by states, the model would apply to every agent and broker in the country. • It does not eliminate existing federal requirements and may apply in addition to existing state mandates as well. • It is not expressly limited to domestic or resident licensees. – It only applies to the insurance industry. • It would treat one sector of the economy different than others, and it is unclear whether state legislators will want to enact cyber requirements that apply uniquely to our industry. • The draft has two primary components: – Information Security – It would require licensees to develop and adhere to a comprehensive data security program. – Data Breach Investigation, Notification, and Remediation – It would establish requirements that apply when personal information maintained by a licensee or service provider is improperly accessed or obtained.

Application of the Model • The model addresses the handling of “personal information. ” • The definition of “PI” has been broadened and now includes: – A financial account number in combination with a password, security code, etc. – A person’s first name (or initial) and last name in combination with: • • • A Social Security Number, A driver’s license, passport, or similar number, A user name or email address in combination with a password, A person’s date of birth, Information that a licensee already has a legal or contractual duty to protect from authorized access or public disclosure, • Information that is provided by or obtained about a person in connection with an insurance transaction, or • Information about a person that results from an insurance transaction. – Any information that relates to one’s physical, mental, or behavioral health or the provision of or payment for health care. • Other observations: – The definition is not limited to data that is truly sensitive or information that is maintained in electronic form. – The definition of “consumer” includes any individual whose personal information is in the possession, custody, or control of a licensee (i. e. it is not limited to policyholders).

Other Key Definitions • Data Breach – A “data breach” is defined as “the unauthorized acquisition, release, or use of personal information. ” • There is no data breach if the PI was encrypted and the encryption, process, or key is not compromised. • The term is not limited to electronic events. – Unlike many existing laws today, there is no harm trigger. • So, the definition applies to events that may not necessarily compromise the security, confidentiality, or integrity of PI or result in harm to any consumer. This is significant. • Third Party Service Provider – This term is defined as any “person or entity that contracts with a licensee to maintain, process, store, or otherwise have access to [PI] under the licensee’s possession, control, or custody. ” – This definition is significant, and it is unclear how this applies to carrier-independent agent relationships. • An insurer could be considered to be a third party service provider of an independent agent.

Information Security • Each licensee would be required to develop, implement, and maintain a comprehensive written information security program for protecting PI. – The requirement contemplates flexibility and scalability. A licensee’s specific program is to be “commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, and the sensitivity of the [PI] in the licensee’s possession, custody, or control. ” – The goals of a program are to (1) protect the security and confidentiality of PI, (2) protect against anticipated threats or hazards to PI, (3) protect against unauthorized access or use of PI and minimize the potential harm for consumers, and (4) define a schedule for retention of PI and its destruction when no longer needed.

Risk Assessment • As a licensee develops its own security program, it would be required to: – Designate an employee or employees responsible for the effort, – Identify reasonably foreseeable internal and external threats, – Assess the likelihood of these threats, – Assess the sufficiency of policies, procedures, systems, and safeguards (including a review of staff training; information systems; and ability to prevent, detect, and respond to attacks and systems failures), – Implement safeguards to manage threats identified in the assessment, and – Regularly assess the effectiveness of key controls, procedures, and systems.

Risk Management • Each licensee would then be required to design a security program to mitigate the identified risks. – The text affirms that the program should be commensurate with the sensitivity of the PI and complexity and scope of a licensee’s activities. – Some improvements were made in the recent draft: • The text no longer requires adherence to the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity. • The text no longer requires the use an information sharing and analysis organization (ISAO) to share information and stay informed of emerging threats and vulnerabilities, but it does require licensees to use generally accepted cybersecurity principles to share info and stay informed of emerging threats or vulnerabilities.

Information Security Plan • The draft says the individual elements of a licensee’s security program must be based on generally accepted cybersecurity principles, including, “as appropriate, ” certain enumerated measures. – This change makes clear that these particular measures would not be required of every licensee, but they could become de facto mandates. • The revised model mentions a list of potential security measures: – Encrypt PI when the data is in transit or on a laptop or other portable computing or storage device, – Regularly test or monitor systems to detect attacks or intrusions, – Establish access controls on IT systems and at physical locations where PI is maintained, – Utilize multifactor authentication, segregation of duties, and background checks for those with access to PI, – Implement response procedures that are triggered when a breach is suspected or detected, – Protect against destruction, loss, or damage to PI due to environmental hazards (e. g. fire, technology failure), – Properly dispose of PI, and – Monitor, evaluate, and adjust the program in light of changes in technology, evolving threats, business arrangements, etc.

Board of Directors • If an agency has a board of directors, then the board (or a committee comprised of board members) would be required to oversee the development, implementation, and maintenance of the information security program. • The proposal also directs the board (or appropriate committee) to require management to submit annual written reports on the status of the information security program, the licensee’s compliance with the cyber law, and any material matters related to the program.

Service Providers • The model addresses third party service providers. – Again, these are entities that contract with a licensee to maintain, process, store, or otherwise have access to PI under the licensee’s possession, custody, or control. • The draft states that licensees: – “Shall contract only with third party service providers that are capable of maintaining appropriate safeguards for the [PI] in the licensee’s possession, custody, or control, and – “Shall be responsible for any failure by such third party service providers to protect [PI] provided by a licensee to the [providers] consistent with this Act. ” • This suggests licensees are strictly liable for the cyber practices of their partners and vendors. – These provisions do not have any form of reasonableness standard and are among the most concerning in the draft. – We especially invite feedback concerning these items.

Comments & Questions

Breaches: Investigation • A “breach” is the “unauthorized acquisition, release, or use of personal information. ” – Again, a breach occurs whenever there is an unauthorized acquisition of any PI (unless the data is encrypted). There is no harm trigger and no specific safe harbor when the PI is redacted or protected in other ways that makes it unreadable and unusable. • If a breach involving PI in the possession, custody, or control of a licensee or any of the licensee’s third party service providers has (or may have) occurred, then the licensee must investigate promptly. – The investigation must at least (1) assess the nature and scope of incident, (2) identify the PI involved, (3) determine if the PI has been acquired, released, or used without authorization, and (4) take reasonable steps to restore the security of the compromised systems. – A licensee must investigate data breaches or potential data breaches involving their third party service providers.

Breaches: Notification • The model’s notification requirements are triggered if: – A licensee determines that a data breach has occurred, and – Certain categories of personal information have been acquired. • If the notification requirements are triggered, the licensee must contact: – The DOI of the licensee’s home state and any other state where affected consumers reside, – The relevant federal and state law enforcement agencies (? ), – Every consumer to whom the personal information relates, – Any relevant payment card network (if the breach involves payment card numbers), and – Each nationwide credit reporting agency (if the breach affects 500+ consumers). • Considerations: – This applies to all data breaches (and not just e-breaches). – The harm trigger has been removed, and these notice requirements apply regardless of the number of records or individuals affected. – A licensee is responsible for all notice requirements if a third party service provider is breached.

Notice to Regulators • After confirming a breach, a licensee would have three days to notify the appropriate insurance departments. – Licensees would also have a duty to update and supplement previous disclosures. • The regulator disclosure is to include 14 different data elements (to the extent known at the time), such as: – The date of the breach, – A description of the breach and the type of information involved, – Whether any individuals involved in the breach have been identified, – How the breach was discovered, – The number of consumers per state affected, – The results of any internal review, and – A description of remedial efforts being undertaken.

Notice to Consumers • The draft requires licensees to notify affected consumers as expediently as possible and without unreasonable delay (and no later than 60 days after confirming a breach). – The draft now identifies the permissible means of delivery. – The licensee must first provide the DOI with an advance copy of the draft communication, and the commissioner may review the notice before it is sent. – The notice must be “straightforward” and include the following information: • A description of the PI involved and the actions being taken by the licensee or service provider to safeguard the information, • A summary of rights for victims of identity theft, • An explanation of the steps that consumers can take to protect against ID theft or fraud (including descriptions of how to put in place 90 -day fraud alerts, extended fraud alerts, and credit freezes), and • Contact information for the licensee and the nationwide credit reporting agencies.

Identity Theft Protection • The consumer notice must include an offer of free identity theft protection services for at least one year or other consumer protections ordered by the commissioner. – There is no definition of these services. – The model would require the offer even if an agency satisfied its data security obligations and took all reasonable measures to prevent a breach, the consumer is not harmed, the consumer has access to such services already, etc. – Some entities have offered such services or been compelled to do so in the past, but the benefit has been questioned by consumer groups and others. • Only one state has a similar requirement in place today. • In anticipation of proposals along these lines, state associations may wish to support legislation that allows consumers to put a credit freeze in place for free. – Among the many problems with this provision is the fact that agents (unlike other types of businesses) cannot raise the price of insurance policies and recoup these costs.

Unlimited DOI Authority • The proposal would give regulators the authority, after reviewing a licensee’s proposed breach notification, to “prescribe the appropriate level of consumer protection required … and how long that protection will be provided. ” – It also states that “the commissioner may order the licensee to offer to pay for twelve months of identity theft protection for affected consumers, pay for a credit freeze, or take other action deemed necessary to protect consumers. ” – This provision gives regulators the unlimited ability to unilaterally determine, without proper advance notice, the sanctions that would apply.

Other Provisions • The purpose section suggests the model’s provisions could be a floor and not necessarily the exclusive source of cyber-related mandates. • The first draft included a privacy policy disclosure requirement distinct from existing GLBA-related mandates, but that was eliminated. • A series of administrative and enforcement provisions were included in the initial draft, and those were deleted. – The model now relies on existing law. • The proposal still includes a confidentiality section. – This protection only applies to eight of the data items that must be disclosed to regulators in the event of a breach. • The model says it should not be construed to create or imply a private cause of action (nor curtail any private cause of action that would otherwise exist).

NAIC Model Law Process • The NAIC adopted a series of model law development procedural changes several years ago. – Model laws are supposed to be adopted only to address subjects (1) that necessitate a national standard or require uniformity among all states, and (2) where NAIC members are committed to devoting significant regulator and NAIC resources. – The proposed cyber model law must be approved by a two-thirds majority of both the task force and the full NAIC membership. • Each commissioner is supposed to vote based on whether he/she will make a commitment to seek introduction and support the proposal in his/her state legislature. • Proposals that receive a majority vote beneath the two-thirds threshold are classified as best practices guidelines.

NAIC Accreditation Program • Some supporters of the cyber draft have argued that the final model should or will become a required element of the NAIC accreditation program. – The accreditation program was developed in the late 1980 s in response to several notable insurer insolvencies and subsequent Congressional scrutiny. • The program develops standards and model laws related to financial solvency regulation. • Accredited states must meet certain standards with regard to insurer solvency oversight, and this allows non-domestic officials to rely on the work of an accredited domestic regulator. • All states are currently accredited. • This system creates efficiencies for insurers as well. – Adding new standards involves extensive procedures. • In most cases, 60% of the NAIC membership must approve a new standard. A waiver of many steps can occur with a 75% vote. • Proponents must also explain how a new proposed standard is “directly related to solvency surveillance. ” – IIABA and others have argued that it would be inappropriate and improper to make this model a required accreditation standard. • This is not a solvency issue, and the precedent is a bad one. • This would needlessly jeopardize the accreditation program and the accreditation status of states.

Observations • Some of the data security provisions have been improved. – One positive change is that the data security requirements are now more flexible and less prescriptive. – The third party service provider provisions, however, are arguably worse. Interestingly, however, there are no mandates imposed upon service providers directly. • The data breach investigation, notification, and remediation provisions are arguably worse. – These provisions are one-size-fits-all in nature and apply equally to global insurers and small insurance agencies. – The elimination of the harm trigger is concerning. – The identity theft protection provision remains, and the ability of the commissioner to unilaterally apply sanctions in the name of consumer protection appears unprecedented. – These requirements would likely produce noncompliance. • IIABA is not optimistic that any future revisions will be sweeping or significant in nature. • Legislators may not be convinced that insurance-specific cyber legislation is a good idea. – IIABA has already brought this issue to NCOIL’s attention, and the legislators expressed a range of concerns with the proposal.

Looking Ahead • The process is moving quickly by NAIC standards. – To help us respond, we ask state associations to provide substantive and political feedback. – The NAIC is meeting later this week. • The Cybersecurity Task Force meets on Saturday. IIABA and others are meeting with the chair and vice chair on Friday. • In light of the meeting, we urge state associations to weigh in quickly with their regulators. – Written comments on the new draft are due in mid. September, and conference call consideration of the model is likely to follow. • The NAIC intends to approve the model before the end of the year so that legislative consideration can occur in 2017. – State associations may want to begin legislative planning for 2017 (e. g. contacting key legislative leaders, administration officials, other stakeholders, etc. ).

Message for Regulators • Our proposed message to commissioners is this: – The agent and broker community is disappointed by the most recent version of the cybersecurity model law. The new draft did not address our most significant concerns, and some provisions are worse than before. – The Big I has previously identified many of our concerns and submitted alternative text, and we are happy to share any of this information with you again. – This proposal would impose broad new burdens on agents and brokers, and our association would be forced to strongly oppose legislation of this nature if introduced in the legislature. – We are especially troubled by the notion that this model might become a required element of the NAIC accreditation program. Such an action is inappropriate and unwarranted, and the accreditation program should not be politicized in this manner. – We urge you to raise these issues and concerns during your NAIC zone and roundtable meetings later this week.

Comments & Questions

Please provide your feedback. Thanks for participating!