The first half of 2022 brought plenty of activity in the data privacy and cybersecurity space, much of which is applicable to or of interest to the insurance industry. We outline some of this activity below.
Revisions to NAIC Models 670 and 672
The National Association of Insurance Commissioners (NAIC) Privacy Protections (H) Working Group has begun revisions to NAIC Model 670 – Insurance Information and Privacy Protection Model Act. The Working Group intends to have an updated draft of Sections 1-13 available for review and comment by the end of August. The revised model is anticipated by the end of 2022. The Privacy Protections (H) Working Group’s work plan states that it intends to begin to revise NAIC Model 672 - Privacy of Consumer Financial and Health Information Regulation, in 2023.
State Insurance Data Security Law Adoptions
Kentucky, Maryland and Vermont each adopted versions of NAIC Model Law 668 - Insurance Data Security Model Law (Model 668) during this legislative session. There are now 22 states with Insurance Data Security Laws: the New York Department of Financial Services promulgated 23 NYCRR 500, and 21 states have adopted versions of Model 668. Several other states proposed bills to adopt Model 668 during this year’s legislative session, with several still pending.
The variances in state adoptions of Model 668 impacts applicability of the laws within the insurance industry because many entities may qualify for an exception to one or more of these state law(s) in part or in whole. Many states include a broad exception for entities subject to HIPAA. A number of states also include more narrow exceptions such as for insurance producers and adjusters, life settlement providers, continuing care retirement communities or for entities subject to the Federal Farm Credit Act. Each of the exceptions may also differ in its breadth, with some providing an exception to the entire law and others providing an exception to only certain requirements of the law. Further, some exceptions require submission of a statement regarding the exception in order to qualify, while others do not.
Comprehensive Privacy Laws
Connecticut and Utah each passed a comprehensive privacy law, bringing the total states with such comprehensive privacy laws to five (California, Colorado, Virginia, Connecticut and Utah). Effective in 2023, these laws, like the other three states’ laws, will only apply to entities meeting certain criteria, including whether an entity conducts business in their state or produces products/services targeted to consumers in their state, and also based on the volume of consumer data that is processed or controlled and the revenue derived from the sale of certain data.
Each of the five comprehensive privacy laws contains exceptions that may be applicable to certain entities in the insurance industry, either based on the type of entity or the type of information or data they collect. An example of an exception based on the type of entity is the exception in Colorado, Virginia, Connecticut, and Utah’s laws for financial institutions subject to or governed by GLBA (GLBA defines financial institutions broadly to include entities that offer financial products or services, including insurance). Examples of exceptions based on the type of information or data collected include exceptions for protected health information (PHI) under HIPAA, for information regulated by the Fair Credit Reporting Act (FCRA) and for information collected in accordance with GLBA. Even where an entity determines the data or information it collects may fall within one of these exceptions, it should be cautious to consider whether the exception is broad enough to cover all its data collection or whether it might still be subject to one or more of these laws.
CPRA Draft Regulations
The California Privacy Protection Agency released a the first draft of the CPRA regulations and an initial statement of reason. Although the draft regulations contain guidance on many CPRA provisions, this draft omits topics such as risk assessments, and automated decision-making technology. Some of the key provisions included in the draft regulations include:
- Specific requirements regarding consent, requiring privacy options presented to consumers to be easy to understand, symmetrical in choice, and free of manipulative language
- Guidance for businesses around the consumer right to limit the use and disclosure of Sensitive Personal Information
- Clarification for businesses on how to comply with opt-out of sale/sharing requests.
Cyber Incident Reporting for Critical Infrastructure Act of 2022
Passed as part of the Strengthening American Cybersecurity Act of 2022 on March 1, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 is anticipated to become effective no sooner than March 1, 2024. Applicability will be defined in the final rule, and it is unclear whether entities in the insurance industry will be impacted. We encourage entities to reflect on whether their current processes follow the requirements, and if not, what might be needed to move into compliance, if needed.
Entities will also be required to preserve this reported information in accordance with the requirements of the final rule.
- Within 72 hours after reasonable belief that any covered cyber incident (to be defined in the final rule) has occurred, and
- Within 24 hours after any ransomware payment is made because of a ransomware attack.
SEC Proposed Rule on Cybersecurity Risk Management
Consistent with the SEC’s cybersecurity-related efforts, on March 9, 2022, the SEC announced a proposed rule impacting advisers and funds. The Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies would require advisers and registered funds to (1) disclose information about any cybersecurity risks or incidents with current and potential clients, (2) report significant cybersecurity incidents to the SEC within 48 hours, and (3) adopt and implement cybersecurity policies and procedures. Similar measures for broker-dealers are also being considered by the SEC, as mentioned in an April 2022 speech by Chair Gary Gensler.
We encourage entities within the SEC’s jurisdiction to consider if they are in alignment with the requirements of the proposed rule, and to consider what changes might be necessary if this proposed rule is implemented.
HIPAA Privacy Rule Amendments
Amendments to the HIPAA Privacy Rule are expected in 2022 but have not yet been released.
The American Data Privacy and Protection Act (ADPPA)
This bipartisan bill, H.R. 8152, was formally introduced in the House, and after a markup session held by the U.S. House Committee on Energy and Commerce’s Subcommittee on Consumer Protection and Commerce, it was unanimously forwarded (as amended) to the full Committee. Past federal privacy legislation has failed to pass, and two of the main sticking points have consistently been preemption and private right of action, both of which this proposal includes. We continue to monitor this bill for activity.
We encourage entities to be aware of which privacy, data security, and cybersecurity laws, regulations, or guidance might apply to them. Please engage with us if you need assistance analyzing these changes or updating portions of your business to comply.