NAIC Cybersecurity Bill of Rights: the awkward new guest at the data breach law party

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=9d7f0d84-4072-4935-bf61-fd3612768787

On October 14, 2015, the NAIC’s Cybersecurity (EX) Task Force adopted a
Cybersecurity Bill of Rights, an aspirational, well-intended document
outlining the rights insurance consumers should (or could? or might? this
point remains uncertain) expect with regard to their personal information
in the hands of insurance companies, insurance agents, and any of their
vendors. The document, now in queue for a vote by the NAIC Executive
Committee, has not enjoyed a warm reception among industry groups and data
privacy lawyers for a number of reasons. Concerns include the Bill’s
divergence from prevailing laws and regulations on important issues, and
the resulting uncertainties, which could raise the cost and risk of
compliance, and thereby the cost of cyber insurance coverage increasingly
sought by insurance companies, agents, and their vendors to defray their
exposure as a result of a data breach. As the Bill purports to bestow upon
consumers of insurance products new rights and entitlements in the event of
a data breach, it overlaps and creates potential inconsistencies with the
data breach laws adopted by 47 of the 50 states (plus Washington DC, Puerto
Rico, and other U.S. jurisdictions).

If adopted by the NAIC, the Bill is intended to be melded into existing
related NAIC model laws with the expectation that those amended provisions
would then be picked up by various state legislatures or state departments
of insurance to amend relevant portions of their respective state insurance
codes or regulations.

This Bill joins a very crowded gathering of existing and proposed measures
at nearly every level of government and industry, seeking to do something –
anything – about the mushrooming problem of sensitive personal information
leaking (or being siphoned) seemingly uncontrollably from the electronic
coffers of entities of every stripe, or simply being lost, misplaced, or
misdirected by those entities.

Unfortunately, this Bill does not fit in well with the crowd it seeks to
join. In enumerating six general “rights” of an insurance consumer, the
Bill goes both too far and not far enough. The wording of the “rights”
lacks sufficient surgical precision in defining the types of incidents that
should fall within the scope of the Bill, and does not account for the
practical (and in some cases, legal) realities of a data breach incident
response. As a result, the Bill overburdens insurance companies and
producers, while not adding meaningfully to the protection of consumers. A
few illustrative examples are discussed below.

The Bill requires that a consumer receive a notice from the insurance
company, agent, or any down-stream business “if an unauthorized person has
(or it seems likely they have) seen, stolen, or used your personal
information.” (Right #4.) Unlike most existing breach notification
requirements, the Bill does not contemplate exceptions to this requirement
for situations where there is not a reasonable likelihood of harm to the
consumer. Without such a “likelihood of harm” exception, consumers could be
notified of incidents that would not likely harm them and so they would be
confused and alarmed unnecessarily, and for no benefit. Most commentators,
including regulatory and enforcement agencies, have recognized the dangers
of over-notification, including a desensitization that can numb notice
recipients to the risks presented by potentially more harmful incidents.
Likewise, the insurance company, agent, or down-stream business would be
subjected to substantial unnecessary expenses, liability, and reputational
risk for a no-harm, no-foul incident. Creating a mandatory notice
requirement simply where an unauthorized person seems likely to have seen
personal information is a substantial expansion of what constitutes a data
breach under most existing legal regimes governing data breach notices
without improving the protection of consumers.

There is a further requirement in the Bill that the consumer data breach
notice letter is sent “never more than 60 days after a data breach is
discovered.” The inflexibility built into this requirement ignores, for
example, cases where law enforcement or other agencies may be involved, and
may request or require delayed notifications while their investigation
proceeds.

As another example, consumers affected by a data breach are required under
the Bill to receive at least one year of identity theft protection paid for
by the insurance company or agent involved in the breach. (Right #5.) This
blanket requirement does not account for the many types of breaches where
identity theft protection would be of no value to the consumer. For
example, while entities suffering a breach involving credit card data or a
breach where there is no likelihood of harm sometimes voluntarily offer
identity theft protection to potentially affected individuals, such
protection is not required under most existing laws and regulations.
Nevertheless, the Bill would create an expectation of entitlement that
increases costs and exposures, without a corresponding benefit to the
consumer.

Certainly, this well-intended Bill is a step in the right direction in
trying to bring consistency and uniformity within the insurance industry on
the issue of cybersecurity and data protection, but there is work yet to be
done to achieve effective consumer protection in the face of the realities
of cyber threats and garden variety data loss being experienced by
companies in the insurance industry with increasing regularity.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!