Faegre Drinker Biddle & Reath LLP, a Delaware limited liability partnership | This website contains attorney advertising.
April 20, 2023

NAIC Tackles Insurance Industry Privacy Modernization

On February 1, 2023, the NAIC Privacy Protections Working Group (PPWG) released a draft of Model Law 674 Insurance Consumer Privacy Protection Model Law (Model 674 or Model). Proposed Model 674 is intended to replace Model Laws 670 (introduced approximately 40 years ago) and 672 (introduced approximately 30 years ago). If adopted, Model 674 would keep many of the requirements of the previous laws while increasing consumer protections and minimizing the amount of data that insurance licensees and third-party service providers can retain and use in relation to insurance transactions.

Interested parties were asked to provide comments by April 3, 2023, and a vote is planned during the NAIC 2023 Summer National Meeting in August.

At the recent Spring National Meeting of the NAIC, the PPWG heard comments from consumer representatives and industry representatives. While consumer representatives were generally supportive of the draft, industry representatives voiced concerns with several of the provisions, including:

  • Requiring prior consent for overseas data sharing.
  • Requirements related to marketing, research, and actuarial studies.
  • Broad third-party oversight.
  • The optional private cause of action.
  • New notice requirements.

The PPWG revised work plan presently includes several call dates during April and May for regulators and interested parties to continue discussions on the proposal as well as a meeting in June.

Summary of Major Provisions

Increased Burden on Licensees to Oversee Third-Party Service Providers

The restrictions under consideration in Model 674 apply to both licensees and third-party service providers that obtain consumers’ personal information from a licensee or provide such information, including insurance support organizations and personal health record vendors. Licensees would be responsible for the oversight of third-party service providers to ensure that they are in compliance with Model 674, as well as the licensees’ own practices regarding consumers’ personal information. This extends to requiring third-party service providers to implement appropriate measures that comply with the requirements of the proposed Model. Absent specific contract provisions, licensees would be forbidden to engage a third-party to collect, process or share consumer information with the licensee, nor would the licensee be permitted to share any consumer information with the third-party service provider.

Licensees would need to work with their third-party service providers to ensure the necessary protections regarding consumers’ personal information are in place. Additionally, licensees will likely need to update their contracts with third-party service providers to comply with the new requirements.

Personal Information

The definition of personal information would be expanded from Models 670 and 672. In addition, information would be defined by categories, i.e., health information, nonpublic information, personal information, privileged information and sensitive personal information.

Data Minimization and Deletion

Licensees would be limited in the amount of consumer personal information they may utilize and for what purposes. All consumer personal information collected, processed, retained, or shared must be reasonably necessary and proportionate to the consumer’s requested insurance transaction or additional permitted transactions. Licensees and third-party service providers would be required to receive consumer consent before using the consumer’s personal information in connection with an additional permitted transaction or sharing it with a person outside of the United States. Furthermore, a licensee could not share a consumer’s personal information for any type of consideration.

Model 674 would also limit the reasons a licensee may retain a consumer’s personal information. Permissible reasons for retention would include servicing of an insurance policy for the consumer, compliance with legal obligations and interests, and additional specified permitted transactions. Once the reason for retention is no longer applicable, licensees would have 90 days to delete the consumer’s personal information and provide notice to the consumer if the licensee no longer has an insurance relationship with them. Licensees would also have to require third-party service providers to give notice to the licensee once the consumer’s personal information has been deleted.

Exception for De-Identified Information

Although the proposed Model would place major limitations on the use and retention of consumers’ personal information, it would not place any limitations on de-identified personal information. Licensees and third-party service providers could continue to retain and use any documents if they remove or redact personally identifying information. The PPWG did not see de-identified information as posing a security threat to consumers. Therefore, licensees would still be able to use the information for consumer research and analysis.

Consent Notices and Authorizations

Model 674 would require licensees to comply with strict notice and authorization requirements before consumers’ personal information may be collected, processed or shared. The content of such notices would vary based on the intended use of the personal information, with extra requirements if such information will be used for additional permitted transactions or shared with persons outside of the United States. Notably, regardless of consent, licensees would be prohibited from sharing a consumer’s sensitive personal information for marketing purposes.

The duration of consumer authorizations would also be restricted. When authorizations are received, Model 674 would limit their duration based on the line of insurance.

Consumers’ Right to Information; Amendments

Under the draft Model, consumers would have an increased right to view and amend any personal information collected by a licensee or third-party service provider. Upon written request by the consumer, the licensee or any third-party service provider would need to provide the consumer with: the identity of those with whom they have shared the consumer’s personal information during the current calendar year and the three preceding years; a summary of the personal information in the licensee’s possession and information on how to receive a copy; and the source of the personal information.

A consumer could also submit a written request to have any personal information amended. Within 15 business days of the request, the licensee or third-party service provider would have to make the requested charges or provide written notice of, and the basis for, refusal. If the amendment is made, the licensee would notify the consumer in writing and provide the amendment to persons designated by the consumer who received the information in the preceding two years, insurance support organizations who received the personal information in the preceding five years, and third-party service providers that furnished the personal information.

Privacy Notices

Although the proposed Model would not change the need for and timing of initial and annual privacy notices, the content of the privacy notices would be expanded. Among the new items to include are:

  • What information the licensee is collecting, the purpose of collection and how long that information will be kept.
  • Information regarding personal information being shared, collected, processed and retained outside the U.S.
  • Licensee requirements to obtain consumer consent to collect and use certain information.
  • Consumer right to revoke consent and instructions on how to do so.

Continuation of Adverse Underwriting Decisions Notification

Model 674 would require licensees to perform practically the same adverse underwriting decision notification requirements that were established in Model 670.

Record Retention (calendar year and three previous calendar years)

Licensees and third-party service providers would be required to maintain evidence that they are in compliance. This includes records related to consumers’ rights of access, copies of authorizations and consents executed by consumers, and representative samples of the required notices. Such records must be maintained for the current calendar year and the three years prior.

Penalties and Liability

The proposed Model would establish two potential ways for licensees to be held liable for non-compliance with its requirements. First, the insurance commissioner of the licensee’s state of domicile can issue a cease-and-desist order to a licensee found to be in violation of the law. Such cease-and-desist order may be accompanied by a monetary fine.

Second, Model 674 would create an optional private cause of action. If states choose to include this provision, licensees can be held liable in court for their acts and the acts of their third-party service providers that are in violation of the law. The draft Model would establish a two-year statute of limitation for claims arising under this section and allows individuals to be awarded attorneys’ fees in addition to the actual damages caused by the licensee’s or the licensee’s third-party services provider’s violations. If implemented, this private cause of action would be the sole remedy available to individuals for violation of the law and such claims could not be used for class action litigation.

Licensees in jurisdictions without the private cause of action may still be subject to liability under other private causes of action that exist outside of the Model.

Exemption: HIPAA and HITECH

Model 674 would establish an exemption that licensees who are subject to and in compliance with HIPAA and HITECH (with certain conditions) are exempt from Sections 4 through 8. Those sections refer to

  • Data minimization and limits on sharing.
  • Retaining and deleting consumer information.
  • Initial and annual notices of consumer information practices.
  • Required content of consumer information practices notices.
  • Notice delivery requirements.

To be eligible for the limited exemption, licensees must have a consumer’s consent to use personal information for additional transactions permitted by the proposed Model. Also, all necessary consents must be obtained from the consumer when sharing information outside U.S. jurisdiction. The licensee must still comply with all other sections of Model 674.


Model Law 674 would further strengthen the privacy protections introduced in Models 670 and 672. It would further limit licensees and third-party service providers use and retention of consumers’ personal information and create additional oversight responsibilities for licensees regarding third-party service providers. While many more hours of discussion and further revisions are expected before the Model is final, it is clear that insurance licensees will be required to make significant changes to existing policies and practices.

We will continue to monitor and provide updates on future developments.

Insurance Law Clerk Mason Medeiros assisted in the preparation of this article.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Related Industries

The Faegre Drinker Biddle & Reath LLP website uses cookies to make your browsing experience as useful as possible. In order to have the full site experience, keep cookies enabled on your web browser. By browsing our site with cookies enabled, you are agreeing to their use. Review Faegre Drinker Biddle & Reath LLP's cookies information for more details.