Kentucky is the latest state to sign into law model provisions written by the National Association of Insurance Commissioners (NAIC) to protect consumer data that is provided to insurance carriers.
The Insurance Data Security Model Law was adopted in 2017 by the NAIC after two years of “extensive deliberations and input.” It was created to address “several major data breaches involving large insurers that have exposed and compromised the sensitive personal information of millions of insurance consumers” in recent years, according to an NAIC brief.
“State adoption of the model is critical for state insurance regulators to have the tools they need to better protect sensitive consumer information,” the NAIC states in the brief.
By the association’s latest count, 21 states, including Kentucky, had adopted the Model Law as of April 25 – North Dakota, Minnesota, Iowa, Wisconsin, Michigan, Indiana, Ohio, Tennessee, Virginia, Maryland, Washington D.C., South Carolina, Louisiana, Mississippi, Alabama, Delaware, Connecticut, New Hampshire, Maine, and Hawaii. Bills are pending in Illinois, Vermont, Rhode Island, and Washington to adopt the Model Law. New York has its own, separate data privacy provisions in place, according to NAIC.
Repairer Driven News asked NAIC to comment on Kentucky’s passage of the Model Law, but an association spokesperson declined.
In October 2017, the U.S. Treasury Department recommended prompt adoption of the model by each state and said that if adoption and implementation didn’t result in uniform data security regulations within five years, U.S. Congress “needs to act by passing legislation setting forth uniform requirements for insurer data security,” according to the NAIC brief.
“The model requires insurers and other entities licensed by a state department of insurance to develop, implement, and maintain an information security program based on its risk assessment, with a designated employee in charge of the information security program (Section 4),” the brief state. “The model phases in requirements for compliance with the information security program and oversight of third-party service providers.”
The full Model Law can be found here, on NAIC’s website.
Kentucky Gov. Andy Beshear signed HB 474 into law on April 8. Its effective date is Jan. 1, 2023, but carriers have until Jan. 1, 2024 to implement subsections one, three, five, and seven of Section 4 of the act and until Jan. 1, 2025 to implement subsection four of Section 4, according to the law.
Carriers or licensees with less than 50 employees, including independent contractors, are exempt from the requirements of Sections 1 through 10 of the law.
Each insurer in the state will be required to implement the following security measures “as appropriate:”
- “Place access controls on information systems, including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of nonpublic information;
- “Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization’s risk strategy;
- “Restrict physical access to nonpublic information to authorized individuals only; and
- “Protect, by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and stored on a laptop computer or other portable computing or storage device or media.”
Every insurer will also be required under the law to “regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems.”
The law also applies to the third-party providers that carriers use, which they are to “exercise due diligence in selecting.”
The law places responsibility on the state’s insurance commissioner as well, in some cases, because carriers, all licensees, and insurance producers are required to notify the office of cybersecurity events if Kentucky is their home state of business, there is a “reasonable likelihood” normal operations will be harmed, or if nonpublic information involved in the even is related to 250 or more Kentucky residents.
The commissioner, under the law, can examine and investigate “the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of Section 4, 5, or 6” of the act. The commissioner can put in place administrative regulations on those who are found to be in violation of any section of the act.
Data privacy is of obvious concern for everyone, according to Erica Eversman, who is a consumer liaison to NAIC through the nonprofit Automotive Education & Policy Institute. “Particularly because insurers have so much information about us,” she said. “That is part and parcel with the ‘Big Data’ push – that the insurance regulators are looking at, with the accumulation of ‘Big Data’ by insurance companies, consumer advocates’ concerns about not only the collection of significant amounts of data, but how insurers are going to use that and safeguard it.”
When saying “Big Data,” Eversman said she was referring to the sweeping collection of any and all personal and company information whether necessary to have or not.
“There’s a big discussion going on right now about whether consumers should have to opt-out – whether the burden should be on them – or whether the default should be opt-out and only if the consumer opts-in should the insurer be permitted to share that information,” she said.
This year, NAIC created a new committee, called the Innovation Cybersecurity and Technology (H) Committee, made up entirely of insurance regulators to address “Big Data” issues as well as cybersecurity and data privacy threat prevention, according to Eversman. She thinks the committee will likely become even more important as more insurance companies do away with brick-and-mortar locations to offer cloud-based online-only services.
Eversman recommends consumers ask their carriers who their personal information will be shared with. She agrees with the Model Law that the information given to third parties by insurers should require responsibility by the carriers to ensure the data is protected. For example, in the collision repair space, making sure shops have data protection systems in place, she said.
“All that information could be hacked from the repairer,” Eversman said. “A lot of the supposed [carrier] protections are ivory tower thought processes. It’s like saying, ‘I waved my magic wand at the front door – I don’t have a lock on it, but I waved my magic wand at the front door and told everybody that they’re just not allowed to come in if I don’t want them to.’ That’s not any meaningful, real protection because there are no meaningful repercussions. …There isn’t a lot that consumers can do. You can say, ‘No, I don’t want to share that information.’ And they say, ‘OK, fine. We can’t give you any auto insurance.'”
However, Eversman encourages consumers to take up the issues with their members of Congress and to use consumer advocacy groups, like the Consumer Federation of America, as resources.
Featured image: Capitol building in Frankfort, Kentucky. (Photo credit: alexeys/iStock)