Across the United States, a unique approach to lawmaking has proved radically successful in making data security stronger for one industry—insurance providers.
The singular approach has entirely sidestepped the prolonged, political arguments that have become commonplace when trying to pass federal and state data privacy laws today.
In California, for example, Big Tech lobbying groups have repeatedly supported legislative attempts to defang and diminish the consumer protections afforded by the state’s landmark data privacy law, the California Consumer Privacy Act.
In Maine, the state’s Chamber of Commerce published narrowly-defined statistics in an attempt to dissuade public favor for the state’s ISP privacy bill, one of several maneuvers that the ACLU of Maine labeled as “gaslighting”—the surreptitious act of purposefully feeding someone false information to destabilize their notions of truth and fact.
Yet, in Michigan, no immediate opposition rose to combat a law that will tighten the cybersecurity protections of insurance providers like Geico, Prudential, Progressive, AAA, Allstate, and Farmers.
The same peace washed over Mississippi earlier this year, when a similar insurance cybersecurity bill, cycling through the state’s legislature, received no comments in the public record, either for or against.
And in just eight days that spanned between July and August, the legislatures in Connecticut, Delaware, and New Hampshire passed similar cybersecurity laws, all aimed at improving the internal cybersecurity controls and processes for most workers that are licensed to sell insurance. Included in the laws are requirements to perform internal risk assessments and to maintain response plans in case of a cybersecurity incident, like a data breach.
While data privacy laws in the US have sparked repeated skirmishes, data security laws for insurance providers are enjoying a summertime ease: A bill gets introduced, is supported, and often receives an unanimous vote in passage.
This isn’t the product of sudden, benevolent bipartisanship across multiple states, though. Instead, it is the product of years-long forward planning and collaboration in the insurance industry, punctuated by a close-to-home data breach.
It is the story of a different kind of lawmaking.
Insurance and regulation—a backgrounder
Insurance regulation in the United States is, to put it lightly, strange.
In 1945, following a thorny Supreme Court case about whether or not the sale of insurance services could be labeled as “commerce,” Congress passed the McCarran Ferguson Act. The law, which still applies today, requires that “no Act of Congress shall be construed to invalidate, impair, or supersede any law enacted by any state for the purpose of regulating the business of insurance.”
What that means in practice is that the insurance industry is regulated almost entirely by individual states.
The same cannot be said for nearly any other industry in the United States, from healthcare to finance, both of which have national information security laws that apply to their sectors.
If that isn’t complicated enough, another wrinkle in the insurance industry is who can actually sell it.
In the United States, selling insurance isn’t like selling a used record player on Craigslist—selling insurance requires a license, and, depending on the type of insurance sold, there are different types of licenses. In California, for example, there are licenses for selling life insurance, property and casualty insurance, and accident and health insurance.
The requirements to get licensed also differ from state to state. In Georgia, Hawaii, and Idaho, for example, “licensees”—who are the people required to obtain a license—must get fingerprinted, while the same is not true in Indiana, Kansas, and Nebraska. The number of hours required for pre-exam training also varies, from zero hours required in Alaska to 200 hours in Florida for those who want to sell property and casualty insurance.
Jeffrey Taft, a partner at the law firm Mayer Brown who works in the firm’s financial services regulatory and enforcement group and its cybersecurity and data privacy practice, said that, for decades, insurance companies have simply put up with the state-by-state regulations. But, Taft added, these companies can rely on the help of a group called the National Association of Insurance Commissioners (NAIC) to make sure that every state law comes from an agreed-upon place.
“Historically, how it’s been, every state has its own insurance department, and every insurance company has to deal with 50 states if they’re a national business,” Taft said. “It’s somewhat cumbersome, as you might imagine, but NAIC tries to make it a more streamlined process to make state laws consistent.”
NAIC, which dates back to 1871 (for perspective, Ulysses S. Grant was president), is the association of the chief insurance regulators from each of the 50 states, plus Washington, DC, and five US territories. The regulators routinely work together to establish standards and best practices and to write what are called “model laws,” which are, essentially, draft pieces of legislation which the group publishes and leaves for individual states to adopt as they choose.
These model laws often address a certain need or threat for the insurance industry, from military sales practices to insider trading to corporate governance disclosures.
In 2014, that need was cybersecurity. That year, the NAIC Executive Committee established a “Cybersecurity Task Force” to review the association’s current model laws that touched on information security and consumer privacy protections, and to make a call on how to best address cybersecurity concerns through the association’s own model law process.
Jennifer McAdam, senior counsel for the NAIC, said that, because of the various kinds of important, private data that insurers collect, cybersecurity is a top concern.
“For NAIC members, it was important to address the unique issues insurers face regarding cybersecurity,” McAdam said. “Insurers collect sensitive consumer data including social security numbers, financial account information, and health care data. Because they collect and maintain this kind of data, insurers are at a high risk of being breached.”
One year later, that risk became an unavoidable reality.
The Anthem data breach and the Insurance Data Security Model Law
On February 4, 2015, the health insurance company Anthem disclosed that hackers had stolen the records of 37.5 million people. Names, birthdays, Social Security numbers, physical and email addresses, medical IDs, and employment and income information had all been harvested in the attack. Twenty days later, Anthem readjusted its victim estimate. It wasn’t 37.5 million, it was 78.8 million.
In 2016, in continuing its work on cybersecurity concerns, the NAIC task force began drafting its Insurance Data Security Model Law.
“Drafting started a year after Anthem disclosed its massive health care data breach,” McAdam said. “As insurance commissioners from across the country collaborated to address the Anthem breach, they began discussing what kind of model legislation would help them perform their jobs better in the event of future similar breaches.”
The model law took 18 months to draft, during which six versions were shared and opened to comment for a period of about 30–45 days each.
McAdam said that, after the second version of the model law received comments, six priorities were identified:
- State uniformity and exclusivity of the law
- Potential exemptions for licensees that are subject to current federal information security laws
- Whether to include a “harm trigger” in the definition of a “data breach”
- The definition of “personal information”
- Scalability of data protection requirements for smaller insurance licensees
- The oversight of third-party service providers that can access some of the data held by licensees
Starting in November 2016, a smaller “drafting group”—which included regulators from seven states, representatives from nine industry groups, a representative from one consumer group, and a professor of law at University of Connecticut—began ironing out these six priorities.
In February 2017, the drafting group found help in looking to New York. That month, the New York Department of Financial Services released its own rules on cybersecurity, called the NYDFS Cybersecurity Regulation.
The New York regulation addressed some of the very same priorities that the NAIC drafting group was set to solve, including when and how to notify consumers of a data breach, and what type of information to protect, which the NYDFS regulation described as “non-public information.”
After implementing a few ideas from the New York regulation, the NAIC Insurance Data Security Model Law reached a concrete shape.
The model law, in its final version, requires that licensees protect “non-public information,” which is defined as any information that belongs to a consumer which, because of their “name, number, personal mark, or other identifier” can reveal a consumer’s identity when combined with another part of their data, including their Social Security number, driver’s license number, credit or debit card number, and any security code, access code, or password that would permit access to a consumer’s financial account, along with their biometric records.
The model law mandates that licensees perform risk assessments to determine how to best protect their non-public information. Following the risk assessment, licensees should use what they’ve learned to develop on “Information Security Program” that comprises of administrative, technical, and physical safeguards to protect non-public information. Licensees can pick from a variety of measures to protect non-public information, from placing controls on who can access that information, to using encryption, to using multi-factor authentication, to developing procedures for securely disposing of non-public information.
While the above mitigation and protection methods are suggestions, the model law requires that licensees provide cybersecurity awareness training to their personnel, and to “stay informed regarding emerging threats or vulnerabilities.”
Insurance licensees must also practice “due diligence” when hiring third party service providers that can access the insurance licensees’ non-public information.
Further, the model law makes exceptions for companies that are already subject to the Health Insurance Portability and Accountability Act (HIPAA).
In October 2017, the full NAIC membership and plenary adopted the Insurance Data Security Model Law.
The model law proved immediately popular with several states.
States take action
On January 23, 2018, two South Carolina lawmakers introduced the South Carolina Insurance Data Security Act into the state’s House of Representatives. In April, the state’s Senate voted unanimously in favor of the law, and on May 3, Governor Henry McMaster signed the act into law.
Ohio adopted its insurance data security law on December 19, 2018. Michigan did the same nine days later, following a legislative process in which several insurance trade associations—all of which represented the businesses that would be subject to new regulations—spoke in favor of the bill. In fact, Michigan’s bill received no industry group opposition; only the Department of Insurance and Financial Services demurred, in testifying “with concerns,” but without opposition.
Mississippi’s governor signed the state’s insurance data security law on April 3, 2019, after the state’s Senate voted unanimously in favor of it. And from July 26 through August 2, Connecticut, Delaware, and New Hampshire adopted their own insurance data security laws.
The state laws differ in small ways, but all of them, except for the Connecticut law, are modeled directly after the NAIC Insurance Data Security Model Law. Connecticut, instead, modeled its law after the New York Department of Financial Services Regulation.
Care to take this outside (of insurance)?
The NAIC’s model law, while successful, is the product of a one-of-a-kind framework. Because of a Supreme Court case that flipped the switch on how insurance could be regulated, Congress decided to pass a law to preserve the way it had always been regulated—by the states.
Because those states each have a Department of Insurance and elected Insurance Commissioners, those commissioners can work together to draft laws that can then be taken to their state legislatures. Because industry insiders are involved in the drafting process, there is rarely a case when those insiders oppose a bill based on their own ideas.
All of those ingredients, this time, added up to make better data security laws for one industry. Those same ingredients cannot be added up to make a comprehensive data privacy law in the United States, unfortunately.
If anything, privacy advocates would likely balk at the idea of Big Tech insiders working together to write a bill that regulates their own activities.
In fact, that process has already happened. Earlier this month, some of the largest companies in America published a framework for what they wanted to see in a federal consumer privacy law. Included in their recommendations was the proposal that no private individual could sue them for violating the future law.
How predictable. Who wants to place a bet on whether Congress would unanimously approve such a bill?
So while the model for creating and passing insurance data privacy and cybersecurity laws results in consistent frameworks adopted across individual states, lawmakers cannot heed to the same process for other industries. Instead, they might consider using a different model law, the GDPR, to provide a framework for federal data privacy legislation.
Until then, expect plenty more opposition to data privacy and cybersecurity laws passed in any other states for any other industries.