The NAICis seeking to fast-track a cybersecurity model law, but the insurance industry ispushing back on the timing and the content of the proposal.
CybersecurityTask Force Chair Adam Hamm said the effort to develop a model on the issue of cybersecuritywould be a marathon, not a sprint. Hamm would, however, like to see this race run as quickly aspossible "without pulling a hamstring" and see the model law become astate accreditation standard.
Hammmade his remarks at an April 4 task force meeting during the NAIC Spring NationalMeeting in New Orleans; they came shortly after the NAIC Executive Committee hadvoted to approve the insurance data security model law development request.
and the rest of the NAIC leadershiphave underscored the need for insurance cybersecurityregulatory safeguards and standards.The model law would, among other things, require that a licensed entity pay forat least 12 months of identity theft protection for affected consumers after a databreach.
Hammsaid at an earlier meeting he would like to see the model law in front of the NAICplenary by the NAIC Summer National Meeting, which is scheduled for late August.This would allow states to put it in their legislative packages for 2017, he explained.Hamm, who is stepping down as North Dakota's insurance commissioner at year-end,would like to see the model law adopted by the end of the year at the very latest.
Membersof the insurance industry lambasted the proposed model, saying it would be difficultor impossible to comply with all the provisions of the act. Industry representativesalso expressed concerns it would create a myriad of state data security laws forinsurers, rather than promote uniformity. In addition to the criticism voiced atthe task force meeting, the NAIC received nearly130 pages of written comments on the draft.
PropertyCasualty Insurers Association of America Vice President Robert Woody told the taskforce the draft model's personal information definition is overly broad, even includingthe make and model of a person's car. The industry, he said, wants to make surethe model is properly focused. Wes Bissett, representing the IndependentInsurance Agents & Brokers of America, told the task force that the typicalinsurance agency will simply be unable to comply with all the provisions of themodel as has been proposed.
A number of individuals associated with the insurance industryspoke to S&P Global Market Intelligence about their issues with the proposalon the condition of anonymity.
One insurancetrade association representative said the industry wants a model that has consistentlaws throughout the states. He said that there are not just two or three "dropdead issues" in the draft, but "multiple deal killers" — perhapsas many as a dozen. Both that representative and other trade association representativesagreed they wanted in-depth sessions with the task force to refashion the modellaw.
An AmericanCouncil of Life Insurers representative stressed that the ACLI has serious and fundamentalconcerns with the law. She said the life insurance industry supports a strong uniformbreach notification law, but finds the draft is neither workable nor risk-based.
A representativefrom American Land Title Association said he was worried that the model would engendertwo different data security laws, one that applies to insurance companies, and anotherthat applies to all other businesses. He worried that state attorneys general wouldnot be comfortable with such a scenario.
One brokerindustry representative noted after the meeting that the draft model law seems primedto pre-empt federal law and could later be challenged. The draft of the model statesthat no other provision of state or federal law or regulation regarding data securityor investigation or notification of a breach of data security shall apply to licenseessubject to the provisions of the act.
Anotherindustry representative and former regulator said he had not seen the industry opposea newly proposed model law so strongly and so quickly.
PaulTetrault of the National Association of Mutual Insurance Companies said that hefelt there was no give and take between the task force and the industry in the process.
In privateconversations and in oral comments to the NAIC, industry representatives repeatedlyspoke of the need for a uniform national standard or model law to be applied consistently,but they did not explicitly say how they would like to achieve that.
"Manyof these aspects of the model are not insurance issues but covered elsewhere, includingin Gramm-Leach-Bliley," said one insurance industry representative. This personalso called for uniformity in cybersecurity data laws.
Statecommissioners from Vermont, Texas, Nebraska and Maryland raised concerns about bothprocesses and politics involved in adopting the model as well.
The NAICremains opposed to H.R. 2205,a bill introduced in the House Financial Services Committee, that it claims wouldcreate a ceiling restricting any state law or rule regarding consumer data protection.