Importantly, in addressing the Principles to regulators in addition to the industry, the NAIC appears to seek to promote uniformity and risk-based approach in regulations promulgated by its member regulators. There are too many examples of data protection regulations that lack uniformity across states and industries and impose significant compliance costs on businesses, with state breach notification laws being a prime example.
Many of the Principles contain general, common-sense guidelines for the treatment of personal information. Principle 2, for example, states that "[c]onfidential and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurer's, insurance producer's or other regulated entity's network should be appropriately safeguarded." Other principles are more narrowly tailored, addressing topics such as incident response (Principle 7), agreements with third parties that insurers authorize to access personal data (Principle 8), and cybersecurity training for employees (Principle 12).
Turning to Principles addressed toward regulators, Principle 1, for example, states that "[s]tate insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks." The Principles further provide guidance to regulators regarding the substance of cybersecurity regulations, stating, for example, that "[c]ybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts" and that "[r]egulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer." (Principles 4 and 5, respectively).