Keywords: cybersecurity,

The National Association of Insurance Commissioners' (NAIC) Executive Committee and Plenary has approved the NAIC Roadmap for Cybersecurity Consumer Protections (the "Roadmap"), formerly the Cybersecurity Bill of Rights. The Roadmap "describes the protections the NAIC believes consumers are entitled to from insurance companies, agents and other businesses when they collect, maintain and use" personal information. It provides, among other rights, that insurance consumers have the right to:

  • Expect each insurance company and agency to have a privacy policy posted on its website;
  • Expect insurance companies, agents and any businesses they contract with to take reasonable steps to keep unauthorized persons from seeing, stealing or using their personal information;
  • Receive a notice if an unauthorized person has (or it seems likely they have) seen, stolen or used their personal information; and
  • Get at least one year of identity theft protection paid for by the company or agent involved in a data breach.

The Roadmap did not pass without objections. Some interested parties expressed concern that state legislatures will be reluctant to enact a sector-specific law, and others emphasized the need for a more deliberative policy development process. The Independent Insurance Agents & Brokers of America expressed concern that insurance agents would be required by law to provide affected consumers with one year of identity theft protection following a data breach. The organization argued that identify theft protection is of low value to a consumer when his/her personal information has been stolen and that consumers can obtain such protection on their own, often at no cost to them.

Currently, the Roadmap is not binding on states, but supporters hope that it will ultimately lead to a single model law during 2016. They appreciate the NAIC's effort to adopt a single model law rather than attempt to shape multiple regulations. As 2016 begins, insurance companies and agents should remain alert to developments in this area of consumer protection.

Originally published 30 December 2015

Learn more about our Cybersecurity & Data Privacy and Insurance practices.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2016. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.